Exam Code: 312-50 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: Ethical Hacking and Countermeasures (CEHv6)
Certification Provider: EC-Council
Free Today! Guaranteed Training- Pass 312-50 Exam.

Q251. What is the command used to create a binary log file using tcpdump? 

A. tcpdump -r log 

B. tcpdump -w ./log 

C. tcpdump -vde -r log 

D. tcpdump -l /var/log/ 

Answer: B

Explanation: tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] 

-w Write the raw packets to file rather than parsing and printing them out. 

Q252. TCP SYN Flood attack uses the three-way handshake mechanism. 

1. An attacker at system A sends a SYN packet to victim at system B. 

2. System B sends a SYN/ACK packet to victim A. 

3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A. 

This status of client B is called _________________ 

A. "half-closed" 

B. "half open" 

C. "full-open" 

D. "xmas-open" 

Answer: B

Q253. You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this? 

A. Block TCP at the firewall 

B. Block UDP at the firewall 

C. Block ICMP at the firewall 

D. There is no way to completely block tracerouting into this area 

Answer: D

Explanation: If you create rules that prevents attackers to perform traceroutes to your DMZ then you’ll also prevent anyone from accessing the DMZ from outside the company network and in that case it is not a DMZ you have. 

Q254. John wishes to install a new application onto his Windows 2000 server. 

He wants to ensure that any application he uses has not been Trojaned. 

What can he do to help ensure this? 

A. Compare the file's MD5 signature with the one published on the distribution media 

B. Obtain the application via SSL 

C. Compare the file's virus signature with the one published on the distribution media 

D. Obtain the application from a CD-ROM disc 

Answer: A

Explanation: MD5 was developed by Professor Ronald L. Rivest of MIT. What it does, to quote the executive summary of rfc1321, is: 

[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. 

In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods. 

Q255. Bank of Timbukut is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web Application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a web browser. 

John Stevens is in charge of information security at Bank of Timbukut. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank’s customers had been changed ! However, money hasn’t been removed from the bank, instead money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web Application’s logs and found the following entries. 

What kind of attack did the Hacker attempt to carry out at the Bank? 

A. Brute Force attack in which the Hacker attempted guessing login ID and password from password cracking tools 

B. The Hacker used a generator module to pass results to the Web Server and exploited Web Application CGI vulnerability. 

C. The Hacker first attempted logins with suspected user names, then used SQL injection to gain access to valid login IDs 

D. The Hacker attempted Session Hijacking, in which the hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason’s session. 


Explanation: Typing things like ‘ or 1=1 – in the login field is evidence of a hacker trying out if the system is vulnerable to SQL injection. 

Topic 15, Hacking Wireless Networks 

Q256. What type of Virus is shown here? 

A. Macro Virus 

B. Cavity Virus 

C. Boot Sector Virus 

D. Metamorphic Virus 

E. Sparse Infector Virus 

Answer: B

Q257. In Trojan terminology, what is required to create the executable file chess.exe as shown below? 

A. Mixer 

B. Converter 

C. Wrapper 

D. Zipper 

Answer: C

Q258. An attacker finds a web page for a target organization that supplies contact information for the company. Using available details to make the message seem authentic, the attacker drafts e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. 

The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming. 

Google's Gmail was hacked using this technique and attackers stole source code and sensitive data from Google servers. This is highly sophisticated attack using zero-day exploit vectors, social engineering and malware websites that focused on targeted individuals working for the company. 

What is this deadly attack called? 

A. Spear phishing attack 

B. Trojan server attack 

C. Javelin attack 

D. Social networking attack 

Answer: A

Q259. In Trojan terminology, what is a covert channel? 

A. A channel that transfers information within a computer system or network in a way that violates the security policy 

B. A legitimate communication path within a computer system or network for transfer of data 

C. It is a kernel operation that hides boot processes and services to mask detection 

D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish connections 

Answer: A

Q260. Study the following exploit code taken from a Linux machine and answer the questions below: 

echo “ingreslock stream tcp nowait root /bin/sh sh –I" > /tmp/x; 

/usr/sbin/inetd –s /tmp/x; 

sleep 10; 

/bin/ rm –f /tmp/x AAAA…AAA 

In the above exploit code, the command “/bin/sh sh –I" is given. 

What is the purpose, and why is ‘sh’ shown twice? 

A. The command /bin/sh sh –i appearing in the exploit code is actually part of an inetd configuration file. 

B. The length of such a buffer overflow exploit makes it prohibitive for user to enter manually. The second ‘sh’ automates this function. 

C. It checks for the presence of a codeword (setting the environment variable) among the environment variables. 

D. It is a giveaway by the attacker that he is a script kiddy. 

Answer: A

Explanation: What's going on in the above question is the attacker is trying to write to the unix filed /tm/x (his inetd.conf replacement config) -- he is attempting to add a service called ingresslock (which doesnt exist), which is "apparently" suppose to spawn a shell the given port specified by /etc/services for the service "ingresslock", ingresslock is a non-existant service, and if an attempt were made to respawn inetd, the service would error out on that line. (he would have to add the service to /etc/services to suppress the error). Now the question is asking about /bin/sh sh -i which produces an error that should read "sh: /bin/sh: cannot execute binary file", the -i option places the shell in interactive mode and cannot be used to respawn itself.