312-50 Exam Questions & Answers

Author: Richard Koons

Version:8.3

Question:1

Bill has started to notice some slowness onhis network when trying to update his company’s website while trying to accessthe website from the Internet. Bill asks the help desk manager if he hasreceived any calls about slowness from the end users, but the help desk managersays that he has not. Bill receives a number of calls from customers that can’taccess the company website and can’t purchase anything online. Bill logs on toa couple of this routers and notices that the logs shows network traffic is atall time high. He also notices that almost all the traffic is originating froma specific address.

Bill decides to use Geotrace to find out wherethe suspect IP is originates from. The Geotrace utility runs a traceroute andfinds that IP is coming from Panama. Bill knows that none of his customers arein Panama so he immediately thinks that his company is under a Denial ofService attack. Now Bill needs to find out more about the originating IPAddress.

What Internet registry should Bill look in tofind the IP Address?

A.LACNIC

B.ARIN

C.RIPELACNIC

D.APNIC

Answer:A

Explanation:

Reference: LACNIC is theLatin American and Caribbean InternetAddresses Registry that administers IP addresses, autonomous system numbers,reverse DNS, and other network resources for that region.

Question:2

System Administrators sometimes post questionsto newsgroups when they run into technical challenges. As an ethical hacker,you could use the information in newsgroup posting to glean insight into the makeupof a target network. How would you search for these posting using Googlesearch?

A.Search in Google using the key strings"the target company" and "newsgroups"

B.Search for the target company name athttp://groups.google.com

C.Use NNTP websites to search for thesepostings

D.Search in Google using the key searchstrings "the target company" and "forums"

Answer:B

Explanation:

Reference: Using http://groups.google.com isthe easiest way to access various newsgroups today. Beforehttp://groups.google.com you had to use special NNTP clients or subscribe tosome nntp to web services.

Question:3

Which of the following activities would not beconsidered passive footprinting?

A.Search on financial site such as YahooFinancial

B.Perform multiple queries through asearch engine

C.Scan the range of IP address found in their DNS database

D.Go through the rubbish to find out anyinformation that might have been discarded

Answer:C

Explanation:

Reference:Passive footprintingis a method in which the attacker never makes contact with the target. Scanningthe targets IP addresses can be logged at the target and therefore contact hasbeen made.

Question:4

You are footprinting thewww.xsecurity.comdomain using the Google Search Engine. Youwould like to determine what sites link to www.xsecurity.com at the firstlevel of revelance.

Which of the following operator in Googlesearch will you use to achieve this?

A.Link:www.xsecurity.com

B.serch?l:www.xsecurity.com

C.level1.www.security.com

D.pagerank:www.xsecurity.com

Answer:A

Explanation:

Reference:The query [link:] will list webpages that havelinks to the specified webpage. For instance, [link:www.google.com] will listwebpages that have links pointing to the Google homepage. Note there can be nospace between the "link:" and the web page url.

Question:5

Doug isconducting a port scan of a target network. He knows that his client targetnetwork has a web server and that there is a mail server also which is up andrunning. Doug has been sweeping the network but has not been able to elicit anyresponse from the remote target. Which of the following could be the mostlikely cause behind this lack of response? Select 4.

A.UDP is filtered by a gateway

B.The packet TTL value is too low and cannot reach the target

C.The host might be down

D.The destination network might be down

E.The TCP windows size does not match

F.ICMP is filtered by a gateway

Answer: A, B, C, F

Explanation:

Reference: If thedestination host or the destination network is down there is no way to get ananswer and if TTL (Time To Live) is set too low the UDP packets will "die"before reaching the host because of too many hops between the scanning computerand the target.The TCP receive windowsize is the amount of received data (in bytes) that can be buffered during aconnection. The sending host can send only that amount of data before it mustwait for an acknowledgment and window update from the receiving host and ICMPis mainly used for echo requests and not in port scans.

Question:6

Exhibit

Joe Hacker runsthe hping2 hacking tool to predict the target host’s sequence numbers in one ofthe hacking session.

What does thefirst and second column mean? Select two.

A.The first column reports the sequence number

B.The second column reports the difference between the current andlast sequence number

C.The second column reports the next sequence number

D.The first column reports the difference between current and lastsequence number

Answer: A, B

Question:7

Whileperforming a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13for all the pings sent out.

What is themost likely cause behind this response?

A.The firewall is dropping the packets.

B.An in-line IDS is dropping the packets.

C.A router is blocking ICMP.

D.The host does not respond to ICMP packets.

Answer: C

Explanation:

Reference:Type 3 message = Destination Unreachable [RFC792], Code 13 (cause) =Communication Administratively Prohibited [RFC1812]

Question:8

The following excerpt is taken from a honeyputlog. The log captures activities across three days. There are several intrusionattempts; however, a few are successful. Study the log given below and answerthe following question:

(Note: The objective of this questions is totest whether the student has learnt about passive OS fingerprinting (whichshould tell them the OS from log captures): can they tell a SQL injectionattack signature; can they infer if a user ID has been created by an attackerand whether they can read plain source – destination entries from log entries.)

What can you infer from the above log?

A.The system is a windows system whichis being scanned unsuccessfully.

B.The system is a web application servercompromised through SQL injection.

C.The system has been compromised andbackdooredby the attacker.

D.The actual IP of the successfulattacker is 24.9.255.53.

Answer:A

Question:9

Bob has been hired to perform a penetrationtest on ABC.com. He begins by looking at IP address ranges owned by the companyand details of domain name registration. He then goes to News Groups andfinancial web sites to see if they are leaking any sensitive information ofhave any technical details online.

Within the context of penetration testingmethodology, what phase is Bob involved with?

A.Passive information gathering

B.Active information gathering

C.Attack phase

D.Vulnerability Mapping

Answer:A

Explanation:

Reference: He is gathering information and aslong as he doesn’t make contact with any of the targets systems he isconsidered gathering this information in a passive mode.

Question:10

Which of the following would be the bestreason for sending a single SMTP message to an address that does not existwithin the target company?

A.To create a denial of service attack.

B.To verify information about the mailadministrator and his address.

C.To gather information about internalhosts used in email treatment.

D.To gather information about proceduresthat are in place to deal with such messages.

Answer:C

Explanation:

Reference: The replay from the email serverthat states that there is no such recipient will also give you some informationabout the name of the email server, versions used and so on.

Question:11

You are conducting a port scan on a subnetthat has ICMP blocked. You have discovered 23 live systems and after scanningeach of them you notice that they all show port 21 in closed state.

What should be the next logical step thatshould be performed?

A.Connect to open ports to discoverapplications.

B.Perform a ping sweep to identify anyadditional systems that might be up.

C.Perform a SYN scan on port 21 toidentify any additional systems that might be up.

D.Rescan every computer to verify theresults.

Answer:C

Explanation:

Reference: As ICMP is blocked you’ll havetrouble determining which computers are up and running by using a ping sweep.As all the 23 computers that you had discovered earlier had port 21 closed,probably any additional, previously unknown, systems will also have port 21closed. By running a SYN scan on port 21 over the target network you might getreplies from additional systems.

Question:12

Ann would like to perform areliable scanagainst a remote target.She is not concerned about being stealth at this point.

Which of the following type of scans would bethe most accurate and reliable option?

A.A half-scan

B.A UDP scan

C.A TCP Connect scan

D.A FIN scan

Answer:C

Explanation:

Reference: A TCP Connect scan,named after the Unix connect() system call is the mostaccurate scanning method. If a port is open the operating system completes theTCP three-way handshake, and the port scanner immediately closes theconnection. Otherwise an error code is returned.

Example of a three-way handshakefollowed by a reset:

Source Destination Summary

  • p>
[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0WIN=5840

[192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787SEQ=58695210 LEN=0 WIN=65535

[192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 ACK=58695211WINserver

>set type =any

>ls -d

A.Enables DNS spoofing

B.Loads bogus entries into the DNS table

C.Verifies zone security

D.Performs a zone transfer

E.Resets the DNS cache

Answer:D

Explanation:

Reference: If DNS has not been properlysecured, the command sequence displayed above will perform a zone transfer.

Question:48

While footprinting a network, whatport/service should you look for to attempt a zone transfer?

A.53 UDP

B.53 TCP

C.25 UDP

D.25 TCP

E.161 UDP

F.22 TCP

G.60 TCP

Answer:B

Explanation:

Reference: IF TCP port 53 is detected, theopportunity to attempt a zone transfer is there.

Question:49

Your lab partner is trying to find out moreinformation about a competitors web site. The site has a.com extension. Shehas decided to use some online whois tools and look in one of the regionalInternet registrys. Which one would you suggest she looks in first?

A.LACNIC

B.ARIN

C.APNIC

D.RIPE

E.AfriNIC

Answer:B

Explanation:

Reference: Regional registries maintainrecords from the areas from which they govern. ARIN is responsible for domainsserved within North and South America and therefore, would be a good startingpoint for a.com domain.

Question:50

Network Administrator Patricia is doing anaudit of the network. Below are some of her findings concerning DNS. Which ofthese would be a cause for alarm?

Select the best answer.

A. There are two external DNS Serversfor Internet domains. Both are AD integrated.

B. All external DNS is done by an ISP.

C. Internal AD Integrated DNS serversare using private DNS names that are

A. unregistered.

D. Private IP addresses are used onthe internal network and are registered with the internal AD integrated DNSserver.

Answer: A

Explanation:

Reference:

A. There are two external DNS Serversfor Internet domains. Both are AD integrated. This is the correct answer.Having an AD integrated DNS external server is a serious cause for alarm. Thereis no need for this and it causes vulnerability on the network.

B. All external DNS is done by an ISP.

This is not the correct answer. Thiswould not be a cause for alarm. This would actually reduce the company'snetwork risk as it is offloaded onto the ISP.

C. Internal AD Integrated DNS serversare using private DNS names that are

unregistered. This is not the correctanswer. This would not be a cause for alarm. This would actually reduce thecompany's network risk.

D. Private IP addresses are used onthe internal network and are registered with the internal AD integrated DNSserver.

This is not the correct answer. Thiswould not be a cause for alarm. This would actually reduce the company'snetwork risk.