Ucertify offers free demo for 312-50 exam. "Ethical Hacking and Countermeasures (CEHv6)", also known as 312-50 exam, is a EC-Council Certification. This set of posts, Passing the EC-Council 312-50 exam, will help you answer those questions. The 312-50 Questions & Answers covers all the knowledge points of the real exam. 100% real EC-Council 312-50 exams and revised by experts!

Q321. You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place. 

-DNS query is sent to the DNS server to resolve www.google.com 

-DNS server replies with the IP address for Google? 

-SYN packet is sent to Google. 

-Google sends back a SYN/ACK packet 

-Your computer completes the handshake by sending an ACK 

-The connection is established and the transfer of data commences 

Which of the following packets represent completion of the 3-way handshake? 

A. 4th packet 

B. 3rdpacket 

C. 6th packet 

D. 5th packet 

Answer: D

Q322. Which of the following act in the united states specifically criminalizes the transmission of unsolicited commercial e-mail(SPAM) without an existing business relationship. 

A. 2004 CANSPAM Act 

B. 2003 SPAM Preventing Act 

C. 2005 US-SPAM 1030 Act 

D. 1990 Computer Misuse Act 

Answer: A

Explanation: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. The law, which became effective January 1, 2004, covers email whose primary purpose is advertising or promoting a commercial product or service, including content on a Web site. A "transactional or relationship message" – email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act. 

Q323. What type of Virus is shown here? 

A. Cavity Virus 

B. Macro Virus 

C. Boot Sector Virus 

D. Metamorphic Virus 

E. Sparse Infector Virus 

Answer: E

Q324. ETHER: Destination address : 0000BA5EBA11 ETHER: Source address : 

00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type : 

0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: 

Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal 

Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal 

Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652 

(0x1DE4) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in 

datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 

 (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP -Transmission Control IP: Checksum = 0xC26D IP: Source Address = IP: 

Destination Address = TCP: Source Port = Hypertext Transfer 

Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number = 

97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5) 


Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 

0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... = 

Acknowledgement field significant TCP: ....0... = No Push function TCP: 

.....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No 

Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent 

Pointer = 0 (0x0) 

An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application? 

A. Create a SYN flood 

B. Create a network tunnel 

C. Create multiple false positives 

D. Create a ping flood 

Answer: B

Explanation: Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted. 

Q325. Exhibit 

Joe Hacker runs the hping2 hacking tool to predict the target host’s sequence numbers in one of the hacking session. 

What does the first and second column mean? Select two. 

A. The first column reports the sequence number 

B. The second column reports the difference between the current and last sequence number 

C. The second column reports the next sequence number 

D. The first column reports the difference between current and last sequence number 

Answer: AB

Q326. Which of the following tool would be considered as Signature Integrity Verifier (SIV)? 

A. Nmap 


C. VirusSCAN 

D. Tripwire 

Answer: D

Q327. Consider the following code: 

If an attacker can trick a victim user to click a link like this and the web application does not validate input, then the victim’s browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page or redirecting the user to another web site. 

What is the countermeasure against XSS scripting? 

A. Create an IP access list and restrict connections based on port number 

B. Replace “<” and “>” characters with ?lt; and ?gt; using server scripts 

C. Disable Javascript in IE and Firefox browsers 

D. Connect to the server using HTTPS protocol instead of HTTP 

Answer: B

Explanation: The correct answer contains a string which is an HTML-quoted version of the original script. The quoted versions of these characters will appear as literals in a browser, rather than with their special meaning as HTML tags. This prevents any script from being injected into HTML output, but it also prevents any user-supplied input from being formatted with benign HTML. 

Topic 13, Web Based Password Cracking Techniques 

Q328. WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use ? 

A. LibPcap 

B. WinPcap 

C. Wincap 

D. None of the above 

Answer: B

Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture. 

Q329. You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. 

Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? 

A. 200-250 

B. 121-371 

C. 120-321 

D. 121-231 

E. 120-370 


Explanation: Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371 (121+250). 

Q330. If you come across a sheepdip machine at your client’s site, what should you do? 

A. A sheepdip computer is used only for virus-checking. 

B. A sheepdip computer is another name for a honeypot 

C. A sheepdip coordinates several honeypots. 

D. A sheepdip computers defers a denial of service attack. 

Answer: A

Explanation: Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.