Our pass rate is high to 98.9% and the similarity percentage between our 312-50 study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the EC-Council 312-50 exam in just one try? I am currently studying for the EC-Council 312-50 exam. Latest EC-Council 312-50 Test exam practice questions and answers, Try EC-Council 312-50 Brain Dumps First.

Q121. Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? 

(Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dumo.) 

05/20-17:06:45.061034 -> TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400 . . . 

05/20-17:06:58.685879 -> TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400 

What is odd about this attack? (Choose the most appropriate statement) 

A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags. 

B. This is back orifice activity as the scan comes from port 31337. 

C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid. 

D. There packets were created by a tool; they were not created by a standard IP stack. 

Answer: B

Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of ‘elite’, meaning ‘elite hackers’. 

Q122. What are twp types of ICMP code used when using the ping command? 

A. It uses types 0 and 8. 

B. It uses types 13 and 14. 

C. It uses types 15 and 17. 

D. The ping command does not use ICMP but uses UDP. 

Answer: A

Explanation: ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo 

Q123. Exhibit: 

You have captured some packets in Ethereal. You want to view only packets sent from What filter will you apply? 

A. ip = 

B. ip.src == 

C. ip.equals 

D. ip.address = 


Explanation: ip.src tells the filter to only show packets with as the source. 

Q124. Jim’s organization has just completed a major Linux roll out and now all of the organization’s systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ. 

Which built-in functionality of Linux can achieve this? 

A. IP Tables 

B. IP Chains 

C. IP Sniffer 


Answer: A

Explanation: iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection. 

Q125. If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization. 

How would you prevent such type of attacks? 

A. It is impossible to block these attacks 

B. Hire the people through third-party job agencies who will vet them for you 

C. Conduct thorough background checks before you engage them 

D. Investigate their social networking profiles 

Answer: C

Q126. Charlie is an IT security consultant that owns his own business in Denver. Charlie has recently been hired by Fleishman Robotics, a mechanical engineering company also in Denver. After signing service level agreements and other contract papers, Charlie asks to look over the current company security policies. Based on these policies, Charlie compares the policies against what is actually in place to secure the company's network. From this information, Charlie is able to produce a report to give to company executives showing which areas the company is lacking in. This report then becomes the basis for all of Charlie's remaining tests. 

What type of initial analysis has Charlie performed to show the company which areas it needs improvements in? 

A. Charlie has performed a BREACH analysis; showing the company where its weak points are 

B. This analysis would be considered a vulnerability analysis 

C. This type of analysis is called GAP analysis 

D. This initial analysis performed by Charlie is called an Executive Summary 

Answer: C

Explanation: In business and economics, gap analysis is a tool that helps a company to compare its actual performance with its potential performance. 

At its core are two questions: "Where are we?" and "Where do we want to be?". 


Q127. Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? 

A. All IVs are vulnerable to attack 

B. Air Snort uses a cache of packets 

C. Air Snort implements the FMS attack and only encrypted packets are counted 

D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers 

Answer: C

Explanation: Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think. 

Q128. Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security. 

Maintaining the security of a Web server will usually involve the following steps: 

1. Configuring, protecting, and analyzing log files 

2. Backing up critical information frequently 

3. Maintaining a protected authoritative copy of the organization's Web content 

4. Establishing and following procedures for recovering from compromise 

5. Testing and applying patches in a timely manner 

6. Testing security periodically. 

In which step would you engage a forensic investigator? 

A. 1 

B. 2 

C. 3 

D. 4 

E. 5 

F. 6 

Answer: D

Q129. You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion? 

A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account 

B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer 

C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques 

D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account 

Answer: C

Q130. #define MAKE_STR_FROM_RET(x) ((x)&0xff), (((x)&0xff00)8), 

(((x)&0xff0000)16), (((x)&0xff000000)24) 

char infin_loop[]= 

/* for testing purposes */ 


char bsdcode[] = 

/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */ 













"x67x6cx69x6e";static int magic[MAX_MAGIC],magic_d[MAX_MAGIC]; 

static char *magic_str=NULL; 

int before_len=0; 

char *target=NULL, *username="user", *password=NULL; 

struct targets getit; 

The following exploit code is extracted from what kind of attack? 

A. Remote password cracking attack 

B. SQL Injection 

C. Distributed Denial of Service 

D. Cross Site Scripting 

E. Buffer Overflow 


Explanation: This is a buffer overflow with it’s payload in hex format.