Avant-garde 312-50 vce Guide

It is more faster and easier to pass the EC-Council 312-50 exam by using Highest Quality EC-Council Ethical Hacking and Countermeasures (CEHv6) questuins and answers. Immediate access to the Rebirth 312-50 Exam and find the same core area 312-50 questions with professionally verified answers, then PASS your exam with a high score now.

Q231. This method is used to determine the Operating system and version running on a remote target system. What is it called? 

A. Service Degradation 

B. OS Fingerprinting 

C. Manual Target System 

D. Identification Scanning 

Answer: B


Q232. The follows is an email header. What address is that of the true originator of the message? 

Return-Path: <bgates@microsoft.com> 

Received: from smtp.com (fw.emumail.com [215.52.220.122]. 

by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 

for <mikeg@thesolutionfirm.com>; Sat, 9 Aug 2003 18:18:50 -0500 

Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 

Received: from ([19.25.19.10]. 

by smtp.com with SMTP 

Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. 

by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 

From: "Bill Gates" <bgates@microsoft.com> 

To: "mikeg" <mikeg@thesolutionfirm.com> 

Subject: We need your help! 

Date: Fri, 8 Aug 2003 19:12:28 -0400 

Message-ID: <51.32.123.21@CHRISLAPTOP> 

MIME-Version: 1.0 

Content-Type: multipart/mixed; 

boundary="----=_NextPart_000_0052_01C35DE1.03202950" 

X-Priority: 3 (Normal. 

X-MSMail-Priority: Normal 

X-Mailer: Microsoft Outlook, Build 10.0.2627 

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 

Importance: Normal 

A. 19.25.19.10 

B. 51.32.123.21 

C. 168.150.84.123 

D. 215.52.220.122 

E. 8.10.2/8.10.2 

Answer: C

Explanation: Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The "received from" IP address 

168.150.84.123 is the true source of the 


Q233. Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a firewall. He wants to use Linux as his firewall and use the latest freely available version that is offered. What do you recommend? 

Select the best answer. 

A. Ipchains 

B. Iptables 

C. Checkpoint FW for Linux 

D. Ipfwadm 

Answer:

Explanation:

Ipchains was improved over ipfwadm with its chaining mechanism so that it can have multiple rulesets. However, it isn't the latest version of a free Linux firewall. Iptables replaced ipchains and is the latest of the free Linux firewall tools. Any Checkpoint firewall is not going to meet Jason's desire to have a free firewall. Ipfwadm is used to build Linux firewall rules prior to 2.2.0. It is a outdated version. 


Q234. Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload? 

A. Defrag 

B. Tcpfrag 

C. Tcpdump 

D. Fragroute 

Answer: D

Explanation: fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour. 


Q235. Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. 

Which of the choices below indicate the other features offered by Snort? 

A. IDS, Packet Logger, Sniffer 

B. IDS, Firewall, Sniffer 

C. IDS, Sniffer, Proxy 

D. IDS, Sniffer, content inspector 

Answer: A

Explanation: Snort is a free software network intrusion detection and prevention system capable of performing packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire 


Q236. Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges? 

A. Give users tokens 

B. Give user the least amount of privileges 

C. Give users two passwords 

D. Give users a strong policy document 

Answer:

Explanation: With less privileges it is harder to increase the privileges. 


Q237. Bryan notices the error on the web page and asks Liza to enter liza' or '1'='1 in the email field. They are greeted with a message "Your login information has been mailed to 

johndoe@gmail.com". What do you think has occurred? 

A. The web application picked up a record at random 

B. The web application returned the first record it found 

C. The server error has caused the application to malfunction 

D. The web application emailed the administrator about the error 

Answer: B

Explanation: The web application sends a query to an SQL database and by giving it the criteria 1=1, which always will be true, it will return the first value it finds. 


Q238. Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet. 

How can you protect/fix the problem of your application as shown above? 

A. Because the counter starts with 0, we would stop when the counter is less than 200 

B. Because the counter starts with 0, we would stop when the counter is more than 200 

C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it can’t hold any more data 

D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it can’t hold any more data 

Answer: AC

Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200. 


Q239. What techniques would you use to evade IDS during a Port Scan? (Select 4 answers) 

A. Use fragmented IP packets 

B. Spoof your IP address when launching attacks and sniff responses from the server 

C. Overload the IDS with Junk traffic to mask your scan 

D. Use source routing (if possible) 

E. Connect to proxy servers or compromised Trojaned machines to launch attacks 

Answer: ABDE


Q240. A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? 

Select the best answers. 

A. Use port security on his switches. 

B. Use a tool like ARPwatch to monitor for strange ARP activity. 

C. Use a firewall between all LAN segments. 

D. If you have a small network, use static ARP entries. 

E. Use only static IP addresses on all PC's. 

Answer: ABD

Explanations: 

By using port security on his switches, the switches will only allow the first MAC address that is connected to the switch to use that port, thus preventing ARP spoofing. ARPWatch is a tool that monitors for strange ARP activity. This may help identify ARP spoofing when it happens. Using firewalls between all LAN segments is possible and may help, but is usually pretty unrealistic. On a very small network, static ARP entries are a possibility. However, on a large network, this is not an realistic option. ARP spoofing doesn't have anything to do with static or dynamic IP addresses. Thus, this option won't help you.