Apr 2021 updated: Exambible EC-Council 312-50 braindumps 331-340


The article at Testaimer.com going over http://www.testaimer.com/312-50-test is very comprehensive.

Q331. File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers? 

A. Use disable-eXchange 

B. Use mod_negotiation 

C. Use Stop_Files 

D. Use Lib_exchanges 

Answer: B


Q332. Lyle is a systems security analyst for Gusteffson & Sons, a large law firm in Beverly Hills. Lyle's responsibilities include network vulnerability scans, Antivirus monitoring, and IDS monitoring. Lyle receives a help desk call from a user in the Accounting department. This user reports that his computer is running very slow all day long and it sometimes gives him an error message that the hard drive is almost full. Lyle runs a scan on the computer with the company antivirus software and finds nothing. Lyle downloads another free antivirus application and scans the computer again. This time a virus is found on the computer. The infected files appear to be Microsoft Office files since they are in the same directory as that software. Lyle does some research and finds that this virus disguises itself as a genuine application on a computer to hide from antivirus software. What type of virus has Lyle found on this computer? 

A. This type of virus that Lyle has found is called a cavity virus. 

B. Lyle has discovered a camouflage virus on the computer. 

C. By using the free antivirus software, Lyle has found a tunneling virus on the computer. 

D. Lyle has found a polymorphic virus on this computer 

Answer: C


Q333. You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state. 

What should be the next logical step that should be performed? 

A. Connect to open ports to discover applications. 

B. Perform a ping sweep to identify any additional systems that might be up. 

C. Perform a SYN scan on port 21 to identify any additional systems that might be up. 

D. Rescan every computer to verify the results. 

Answer: C

Explanation: As ICMP is blocked you’ll have trouble determining which computers are up and running by using a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed, probably any additional, previously unknown, systems will also have port 21 closed. By running a SYN scan on port 21 over the target network you might get replies from additional systems. 


Q334. What port scanning method involves sending spoofed packets to a target system and then looking for adjustments to the IPID on a zombie system? 

A. Blind Port Scanning 

B. Idle Scanning 

C. Bounce Scanning 

D. Stealth Scanning 

E. UDP Scanning 

Answer: B

Explanation: from NMAP:-sI <zombie host[:probeport]> Idlescan: This advanced scan method allows fora truly blind TCP port scan of the target (meaning no packets are sent tothe tar- get from your real IP address). Instead, a unique side-channelattack exploits predictable "IP fragmentation ID" sequence generation onthe zombie host to glean information about the open ports on the target. 


Q335. What file system vulnerability does the following command take advantage of? 

type c:anyfile.exe > c:winntsystem32calc.exe:anyfile.exe 

A. HFS 

B. ADS 

C. NTFS 

D. Backdoor access 

Answer: B

Explanation: ADS (or Alternate Data Streams) is a “feature” in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream. 


Q336. Network Intrusion Detection systems can monitor traffic in real time on networks. 

Which one of the following techniques can be very effective at avoiding proper detection? 

A. Fragmentation of packets. 

B. Use of only TCP based protocols. 

C. Use of only UDP based protocols. 

D. Use of fragmented ICMP traffic only. 

Answer: A

Explanation: If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim. 


Q337. User which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud? 

A. 18 U.S.C 1029 Possession of Access Devices 

B. 18 U.S.C 1030 Fraud and related activity in connection with computers 

C. 18 U.S.C 1343 Fraud by wire, radio or television 

D. 18 U.S.C 1361 Injury to Government Property 

E. 18 U.S.C 1362 Government communication systems 

F. 18 U.S.C 1831 Economic Espionage Act 

G. 18 U.S.C 1832 Trade Secrets Act 

Answer: B

Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html 


Q338. A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider? 

A. The CEO of the company because he has access to all of the computer systems 

B. A government agency since they know the company computer system strengths and weaknesses 

C. Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants 

D. A competitor to the company because they can directly benefit from the publicity generated by making such an attack 

Answer:

Explanation: An insider is anyone who already has an foot inside one way or another. 


Q339. Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. 

Harold is currently trying to run a Sniffer on the agency’s network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffer’s manual but can’t find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agency’s network is a switched network, which can’t be sniffed by some programs without some tweaking. 

What technique could Harold use to sniff agency’s switched network? 

A. ARP spoof the default gateway 

B. Conduct MiTM against the switch 

C. Launch smurf attack against the switch 

D. Flood switch with ICMP packets 

Answer: A

Explanation: ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack). 


Q340. You may be able to identify the IP addresses and machine names for the firewall, and the names of internal mail servers by: 

A. Sending a mail message to a valid address on the target network, and examining the header information generated by the IMAP servers 

B. Examining the SMTP header information generated by using the –mx command parameter of DIG 

C. Examining the SMTP header information generated in response to an e-mail message sent to an invalid address 

D. Sending a mail message to an invalid address on the target network, and examining the header information generated by the POP servers 

Answer: C