May 2021 updated: Pass4sure EC-Council 312-50 exam cram 211-220

Free of 312-50 torrent materials and samples for EC-Council certification for candidates, Real Success Guaranteed with Updated 312-50 pdf dumps vce Materials. 100% PASS Ethical Hacking and Countermeasures (CEHv6) exam Today!

The article at going over is very comprehensive.

Q211. Which of the following is one of the key features found in a worm but not seen in a virus? 

A. The payload is very small, usually below 800 bytes. 

B. It is self replicating without need for user intervention. 

C. It does not have the ability to propagate on its own. 

D. All of them cannot be detected by virus scanners. 


Explanation: A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. 

Q212. What type of port scan is represented here. 

A. Stealth Scan 

B. Full Scan 

C. XMAS Scan 

D. FIN Scan 

Answer: A

Q213. A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system. 

The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software. 

What is Rogue security software? 

A. A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites 

B. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

C. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

D. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

E. Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites 

F. This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker 

Answer: BCD

Q214. TCP SYN Flood attack uses the three-way handshake mechanism. 

1. An attacker at system A sends a SYN packet to victim at system B. 

2. System B sends a SYN/ACK packet to victim A. 

3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A. 

This status of client B is called _________________ 

A. "half-closed" 

B. "half open" 

C. "full-open" 

D. "xmas-open" 

Answer: B

Q215. Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference? 

A. Eric network has been penetrated by a firewall breach 

B. The attacker is using the ICMP protocol to have a covert channel 

C. Eric has a Wingate package providing FTP redirection on his network 

D. Somebody is using SOCKS on the network to communicate through the firewall 

Answer: D

Explanation: Port Description: SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable similar to FTP Bounce, in that attacker can connect to this port and bounce out to another internal host. Done to either reach a protected internal host or mask true source of attack. Listen for connection attempts to this port -- good sign of port scans, SOCKS-probes, or bounce attacks. Also a means to access restricted resources. Example: Bouncing off a MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted only domain hosts. 

Q216. John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame? 






Explanation: 0xFFFFFFFFFFFF is the destination MAC address of the broadcast frame. 

Q217. Bob is a Junior Administrator at ABC Company. On One of Linux machine he entered the following firewall rules: 

iptables –t filter –A INPUT -p tcp --dport 23 –j DROP 

Why he entered the above line? 

A. To accept the Telnet connection 

B. To deny the Telnet connection 

C. The accept all connection except telnet connection 

D. None of Above 

Answer: B

Explanation: -t, --table 

This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter This is the default table, and contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet which is creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). 

-A, --append 

Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. Also a protocol name from /etc/protocols is allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. All may not be used in in combination with the check command. --destination-port [!] [port[:port]] Destination port or port range specification. The flag --dport is an alias for this option. -j, --jump target 

This specifies the target of the rule; ie. what to do if the packet matches it. The target can be a user-defined chain (not the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented. 

Q218. What is the algorithm used by LM for Windows2000 SAM ? 

A. MD4 




Answer: B

Explanation: Okay, this is a tricky question. We say B, DES, but it could be A “MD4” depending on what their asking - Windows 2000/XP keeps users passwords not "apparently", but as hashes, i.e. actually as "check sum" of the passwords. Let's go into the passwords keeping at large. The most interesting structure of the complex SAM-file building is so called V-block. It's size is 32 bytes and it includes hashes of the password for the local entering: NT Hash of 16-byte length, and hash used during the authentication of access to the common resources of other computers LanMan Hash, or simply LM Hash, of the same 16-byte length. Algorithms of the formation of these hashes are following: NT Hash formation: LM Hash formation: 

Q219. Mark works as a contractor for the Department of Defense and is in charge of network security. He has spent the last month securing access to his network from all possible entry points. He has segmented his network into several subnets and has installed firewalls all over the network. He has placed very stringent rules on all the firewalls, blocking everything in and out except ports that must be used. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Mark is fairly confident of his perimeter defense, but is still worried about programs like Hping2 that can get into a network through convert channels. 

How should mark protect his network from an attacker using Hping2 to scan his internal network? 

A. Blocking ICMP type 13 messages 

B. Block All Incoming traffic on port 53 

C. Block All outgoing traffic on port 53 

D. Use stateful inspection on the firewalls 

Answer: A

Explanation: An ICMP type 13 message is an ICMP timestamp request and waits for an ICMP timestamp reply. The remote node is right to do, still it would not be necessary as it is optional and thus many ip stacks ignore such packets. Nevertheless, nmap again achived to make its packets unique by setting the originating timestamp field in the packet to 0. 

Q220. Leonard is a systems administrator who has been tasked by his supervisor to slow down or lessen the amount of SPAM their company receives on a regular basis. SPAM being sent to company email addresses has become a large problem within the last year for them. Leonard starts by adding SPAM prevention software at the perimeter of the network. He then builds a black list, white list, turns on MX callbacks, and uses heuristics to stop the incoming SPAM. While these techniques help some, they do not prevent much of the SPAM from coming in. Leonard decides to use a technique where his mail server responds very slowly to outside connected mail servers by using multi-line SMTP responses. By responding slowly to SMTP connections, he hopes that SPAMMERS will see this and move on to easier and faster targets. 

What technique is Leonard trying to employ here to stop SPAM? 

A. To stop SPAM, Leonard is using the technique called Bayesian Content Filtering 

B. Leonard is trying to use the Transparent SMTP Proxy technique to stop incoming SPAM 

C. This technique that Leonard is trying is referred to as using a Sender Policy Framework to aid in SPAM prevention 

D. He is using the technique called teergrubing to delay SMTP responses and hopefully stop SPAM 

Answer: D

Explanation: Teergrubing FAQ 

What does a UBE sender really need? What does he sell? 

A certain amount of sent E-Mails per minute. This product is called Unsolicited Bulk E-Mail. 

How can anyone hit an UBE sender? 

By destroying his working tools. 


E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources. 

If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts. 

A teergrube is a modified MTA (mail transport agent) able to do this to specified senders. 

Incorrect answer: 

Sender Policy Framework (SPF) deals with allowing an organization to publish “Authorized” SMTP servers for their organization through DNS records.