312-50 exam questions

The article at Testaimer.com going over http://www.testaimer.com/312-50-test is very comprehensive.

Q311. Sabotage, Advertising and Covering are the three stages of _____ 

A. Social engineering 

B. Reverse Social Engineering 

C. Reverse Software Engineering 

D. Rapid Development Engineering 

Answer: B

Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker. 

Q312. Frederickson Security Consultants is currently conducting a security audit on the networks of Hawthorn Enterprises, a contractor for the Department of Defense. Since Hawthorn Enterprises conducts business daily with the federal government, they must abide by very stringent security policies. Frederickson is testing all of Hawthorn's physical and logical security measures including biometrics, passwords, and permissions. The federal government requires that all users must utilize random, non-dictionary passwords that must take at least 30 days to crack. Frederickson has confirmed that all Hawthorn employees use a random password generator for their network passwords. The Frederickson consultants have saved off numerous SAM files from Hawthorn's servers using Pwdump6 and are going to try and crack the network passwords. What method of attack is best suited to crack these passwords in the shortest amount of time? 

A. Brute force attack 

B. Birthday attack 

C. Dictionary attack 

D. Brute service attack 

Answer: A

Q313. Which of the following ICMP message types are used for destinations unreachables? 

A. 0 

B. 3 

C. 11 

D. 13 

E. 17 

Answer: B

Explanation: Type 3 messages are used for unreachable messages. 0 is Echo Reply, 8 is Echo request, 11 is time exceeded, 13 is timestamp and 17 is subnet mask request. Learning these would be advisable for the test. 

Q314. Which of the following wireless technologies can be detected by NetStumbler? (Select all that apply) 

A. 802.11b 

B. 802.11e 

C. 802.11a 

D. 802.11g 

E. 802.11 

Answer: ACD

Explanation: If you check the website, cards for all three (A, B, G) are supported. See: http://www.stumbler.net/ 

Q315. Travis works primarily from home as a medical transcriptions. 

He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. He uses voice recognition software is processor intensive, which is why he bought the new computer. Travis frequently has to get on the Internet to do research on what he is working on. After about two months of working on his new computer, he notices that it is not running nearly as fast as it used to. 

Travis uses antivirus software, anti-spyware software and always keeps the computer up-to-date with Microsoft patches. 

After another month of working on the computer, Travis computer is even more noticeable slow. Every once in awhile, Travis also notices a window or two pop-up on his screen, but they quickly disappear. He has seen these windows show up, even when he has not been on the Internet. Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. Travis scans his through Windows Explorer and check out the file system, folder by folder to see if there is anything he can find. He spends over four hours pouring over the files and folders and can’t find anything but before he gives up, he notices that his computer only has about 10 GB of free space available. Since has drive is a 200 GB hard drive, Travis thinks this is very odd. 

Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer. According to his calculations, he should have around 150 GB of free space. What is mostly likely the cause of Travi’s problems? 

A. Travis’s Computer is infected with stealth kernel level rootkit 

B. Travi’s Computer is infected with Stealth Torjan Virus 

C. Travis’s Computer is infected with Self-Replication Worm that fills the hard disk space 

D. Logic Bomb’s triggered at random times creating hidden data consuming junk files 

Answer: A

Explanation: A rootkit can take full control of a system. A rootkit's only purpose is to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators to detect intended or unintended special privilege accesses to the computer resources. 

Q316. A distributed port scan operates by: 

A. Blocking access to the scanning clients by the targeted host 

B. Using denial-of-service software against a range of TCP ports 

C. Blocking access to the targeted host by each of the distributed scanning clients 

D. Having multiple computers each scan a small number of ports, then correlating the results 

Answer: D

Explanation: Think of dDoS (distributed Denial of Service) where you use a large number of computers to create simultaneous traffic against a victim in order to shut them down. 

Q317. What happens when one experiences a ping of death? 

A. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type” field in the ICMP header is set to 18 (Address Mask Reply). 

B. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ‘ 8) + (IP data length) >65535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. 

C. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source equal to destination address. 

D. This is when an the IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect). 

Answer: B

Explanation: A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting. 

Q318. What tool can crack Windows SMB passwords simply by listening to network traffic? 

Select the best answer. 

A. This is not possible 

B. Netbus 


D. L0phtcrack 



This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm. 

Q319. What does ICMP (type 11, code 0) denote? 

A. Unknown Type 

B. Time Exceeded 

C. Source Quench 

D. Destination Unreachable 

Answer: B

Explanation: An ICMP Type 11, Code 0 means Time Exceeded [RFC792], Code 0 = Time to Live exceeded in Transit and Code 1 = Fragment Reassembly Time Exceeded. 

Q320. Which of the following Trojans would be considered 'Botnet Command Control Center'? 

A. YouKill DOOM 

B. Damen Rock 

C. Poison Ivy D. Matten Kit 

Answer: C