Winter Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

412-79 PDF

$38.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

412-79 PDF + Testing Engine

$61.6

$175.99

3 Months Free Update

  • Exam Name: EC-Council Certified Security Analyst (ECSA)
  • Last Update: Feb 14, 2025
  • Questions and Answers: 232
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

412-79 Engine

$46.2

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

412-79 Practice Exam Questions with Answers EC-Council Certified Security Analyst (ECSA) Certification

Question # 6

You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printer out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the ______________ in order to track the emails back to the suspect.

A.

Routing Table

B.

Firewall log

C.

Configuration files

D.

Email Header

Full Access
Question # 7

Which response organization tracks hoaxes as well as viruses?

A.

NIPC

B.

FEDCIRC

C.

CERT

D.

CIAC

Full Access
Question # 8

With Regard to using an Antivirus scanner during a computer forensics investigation, You should:

A.

Scan the suspect hard drive before beginning an investigation

B.

Never run a scan on your forensics workstation because it could change your systems configuration

C.

Scan your forensics workstation at intervals of no more than once every five minutes during an investigation

D.

Scan your Forensics workstation before beginning an investigation

Full Access
Question # 9

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorizeD. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saveD. What should you examine next in this case?

A.

The registry

B.

Theswapfile

C.

The recycle bin

D.

The metadata

Full Access
Question # 10

You have used a newly released forensic investigation tool, which doesn?t meet the Daubert T

est, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?

A.

The tool hasn?t been tested by the International Standards Organization (ISO)

B.

Only the local law enforcement should use the tool

C.

The total has not been reviewed and accepted by your peers

D.

You are not certified for using the tool

Full Access
Question # 11

What binary coding is used most often for e-mail purposes?

A.

MIME

B.

Uuencode

C.

IMAP

D.

SMTP

Full Access
Question # 12

Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?

A.

18 U.S.C. 1029

B.

18 U.S.C. 1362

C.

18 U.S.C. 2511

D.

18 U.S.C. 2703

Full Access
Question # 13

Why should you note all cable connections for a computer you want to seize as evidence?

A.

to know what outside connections existed

B.

in case other devices were connected

C.

to know what peripheral devices exist

D.

to know what hardware existed

Full Access
Question # 14

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)

Full Access
Question # 15

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.

A.

logical

B.

anti-magnetic

C.

magnetic

D.

optical

Full Access
Question # 16

The MD5 program is used to:

A.

wipe magnetic media before recycling it

B.

make directories on a evidence disk

C.

view graphics files on an evidence drive

D.

verify that a disk is not altered when you examine it

Full Access
Question # 17

Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

A.

bench warrant

B.

wire tap

C.

subpoena

D.

search warrant

Full Access
Question # 18

You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protecteD. What are two common methods used by password cracking software that you can use to obtain the password?

A.

Limited force and library attack

B.

Brute Force and dictionary Attack

C.

Maximum force and thesaurus Attack

D.

Minimum force and appendix Attack

Full Access
Question # 19

While working for a prosecutor, What do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense ?

A.

Keep the information of file for later review

B.

Destroy the evidence

C.

Bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge

D.

Present the evidence to the defense attorney

Full Access
Question # 20

Study the log given below and answer the following question: Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules,

which among the following would be appropriate?

A.

Disallow UDP53 in from outside to DNS server

B.

Allow UDP53 in from DNS server to outside

C.

Disallow TCP53 in from secondaries or ISP server to DNS server

D.

Block all UDP traffic

Full Access
Question # 21

You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network?

A.

create a compressed copy of the file with DoubleSpace

B.

create a sparse data copy of a folder or file

C.

make a bit-stream disk-to-image file

D.

make a bit-stream disk-to-disk file

Full Access
Question # 22

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directlyinteracing with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn?t matter as all replies are faked

Full Access
Question # 23

A (n) ____________ is one that?s performed by a computer program rather than the attacker manually performing the steps in the attack sequence.

A.

blackout attack

B.

automated attack

C.

distributed attack

D.

central processing attack

Full Access
Question # 24

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

A.

only the reference to the file is removed from the FAT

B.

the file is erased and cannot be recovered

C.

a copy of the file is stored and the original file is erased

D.

the file is erased but can be recovered

Full Access
Question # 25

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

A.

All forms should be placed in an approved secure container because they are now primary evidence in the case.

B.

The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

C.

The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.

D.

All forms should be placed in the report file because they are now primary evidence in the case.

Full Access
Question # 26

In the context of file deletion process, which of the following statement holds true?

A.

When files are deleted, the data is overwritten and the cluster marked as available

B.

The longer a disk is inuse, the less likely it is that deleted files will be overwritten

C.

While booting, the machine may create temporary files that can delete evidence

D.

Secure delete programs work by completely overwriting the file in one go

Full Access
Question # 27

Before you are called to testify as an expert, what must an attorney do first?

A.

engage in damage control

B.

prove that the tools you used to conduct your examination are perfect

C.

read your curriculum vitae to the jury

D.

qualify you as an expert witness

Full Access
Question # 28

Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?

A.

The manufacturer of the system compromised

B.

The logic, formatting and elegance of the code used in the attack

C.

The nature of the attack

D.

The vulnerability exploited in the incident

Full Access
Question # 29

A state department site was recently attacked and all the servers had their disks eraseD. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally eraseD. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?

A.

They examined the actual evidence on an unrelated system

B.

They attempted to implicate personnel without proof

C.

They tampered with evidence by using it

D.

They called in the FBI without correlating with the fingerprint data

Full Access
Question # 30

Printing under a Windows Computer normally requires which one of the following files types to be created?

A.

EME

B.

MEM

C.

EMF

D.

CME

Full Access
Question # 31

To preserve digital evidence, an investigator should ____________________

A.

Make tow copies of each evidence item using a single imaging tool

B.

Make a single copy of each evidence item using an approved imaging tool

C.

Make two copies of each evidence item using different imaging tools

D.

Only store the original evidence item

Full Access
Question # 32

A law enforcement officer may only search for and seize criminal evidence with _____________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searcheD.

A.

Mere Suspicion

B.

A preponderance of the evidence

C.

Probable cause

D.

Beyond a reasonable doubt

Full Access
Question # 33

The ____________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity.

A.

Locard Exchange Principle

B.

Clark Standard

C.

Kelly Policy

D.

Silver-Platter Doctrine

Full Access
Question # 34

____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.

A.

Network Forensics

B.

Computer Forensics

C.

Incident Response

D.

Event Reaction

Full Access
Question # 35

Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual mediA. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?

A.

Connect the target media; prepare the system for acquisition; Secure the evidence; Copy the media

B.

Prepare the system for acquisition; Connect the target media; copy the media; Secure the evidence

C.

Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media

D.

Secure the evidence; prepare the system for acquisition; Connect the target media; copy the media

Full Access
Question # 36

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

A.

Globally unique ID

B.

Microsoft Virtual Machine Identifier

C.

Personal Application Protocol

D.

Individual ASCII string

Full Access
Question # 37

This organization maintains a database of hash signatures for known software:

A.

International Standards Organization

B.

Institute of Electrical and Electronics Engineers

C.

National Software Reference Library

D.

American National standards Institute

Full Access
Question # 38

You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?

A.

Throw the hard disk into the fire

B.

Run the powerful magnets over the hard disk

C.

Format the hard disk multiple times using a low level disk utility

D.

Overwrite the contents of the hard disk with Junk data

Full Access
Question # 39

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

A.

Windows computers will not respond to idle scans

B.

Linux/Unix computers are constantly talking

C.

Linux/Unix computers are easier to compromise

D.

Windows computers are constantly talking

Full Access
Question # 40

Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

A.

Smurf scan

B.

Tracert

C.

Ping trace

D.

ICMP ping sweep

Full Access
Question # 41

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

A.

Only an HTTPS session can be hijacked

B.

Only DNS traffic can be hijacked

C.

Only FTP traffic can be hijacked

D.

HTTP protocol does not maintain session

Full Access
Question # 42

Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

A.

Perform a zone transfer

B.

Perform DNS poisoning

C.

Send DOS commands to crash the DNS servers

D.

Enumerate all the users in the domain

Full Access
Question # 43

What will the following URL produce in an unpatched IIS Web Server? 412-79 question answer

A.

Execute a buffer flow in the C: drive of the web server

B.

Insert a Trojan horse into the C: drive of the web server

C.

Directory listing of the C:\windows\system32 folder on the web server

D.

Directory listing of C: drive on the web server

Full Access
Question # 44

Click on the Exhibit Button

Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client about necessary changes need to be made. From the screenshot, what changes should the client company make?

Exhibit:

412-79 question answer

A.

The banner should not state "only authorized IT personnel may proceed"

B.

Remove any identifying numbers, names, or version information

C.

The banner should include the Cisco tech support contact information as well

D.

The banner should have more detail on the version numbers for the network equipment

Full Access
Question # 45

You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive.org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal:

What have you found?

A.

Trojan.downloader

B.

Blind bug

C.

Web bug

D.

CGI code

Full Access
Question # 46

Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?

A.

Filtered

B.

Stealth

C.

Closed

D.

Open

Full Access
Question # 47

Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all the directions from the ISP as well as the wireless router manual. He does not have any encryption set and the SSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but then the connection drops and the signal goes away. Eventually the wireless signal shows back up, but drops intermittently. What could be Tyler issue with his home wireless network?

A.

2.4 Ghz Cordless phones

B.

Satellite television

C.

CB radio

D.

Computers on his wired network

Full Access
Question # 48

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

A.

Windows computers are constantly talking

B.

Linux/Unix computers are constantly talking

C.

Linux/Unix computers are easier to compromise

D.

Windows computers will not respond to idle scans

Full Access
Question # 49

You are a security analyst performing reconnaissance on a company you will be carrying out a penetration test for. You conduct a search for IT jobs on Dice.com and find the following information for an open position:

7+ years experience in Windows Server environment

5+ years experience in Exchange 2000/2003 environment

Experience with Cisco Pix Firewall, Linksys 1376 router, Oracle 11i and MYOB v3.4 Accounting software are required MCSA desired,

MCSE, CEH preferred

No Unix/Linux Experience needed

What is this information posted on the job website considered?

A.

Information vulnerability

B.

Social engineering exploit

C.

Trade secret

D.

Competitive exploit

Full Access
Question # 50

Why is it a good idea to perform a penetration test from the inside?

A.

It is easier to hack from the inside

B.

It is never a good idea to perform a penetration test from the inside

C.

To attack a network from a hacker's perspective

D.

Because 70% of attacks are from inside the organization

Full Access
Question # 51

Terri works for a security consulting firm that is currently performing a penetration test on First National Bank in Tokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IP packet to one of the company's switches with ACK bit and the source address of her machine set. What is Terri trying to accomplish by sending this IP packet?

A.

Poison the switch's MAC address table by flooding it with ACK bits

B.

Enable tunneling feature on the switch

C.

Trick the switch into thinking it already has a session with Terri's computer

D.

Crash the switch with a DoS attack since switches cannot send ACK bits

Full Access
Question # 52

What are the security risks of running a "repair" installation for Windows XP?

A.

There are no security risks when running the "repair" installation for Windows XP

B.

Pressing Shift+F1 gives the user administrative rights

C.

Pressing Ctrl+F10 gives the user administrative rights

D.

Pressing Shift+F10 gives the user administrative rights

Full Access
Question # 53

What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

A.

ICMP header field

B.

TCP header field

C.

IP header field

D.

UDP header field

Full Access
Question # 54

How many sectors will a 125 KB file use in a FAT32 file system?

A.

32

B.

16

C.

250

D.

25

Full Access
Question # 55

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

A.

HKEY_LOCAL_MACHINEhardwarewindowsstart

B.

HKEY_LOCAL_USERSSoftware|MicrosoftoldVersionLoad

C.

HKEY_CURRENT_USERMicrosoftDefault

D.

HKEY_LOCAL_MACHINESoftwareMicrosoftCurrentVersionRun

Full Access
Question # 56

If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement?

A.

true

B.

false

Full Access
Question # 57

What will the following URL produce in an unpatched IIS Web Server? http://www.thetargetsite.com/scripts/..%co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:\

A.

Execute a buffer flow in the C: drive of the web server

B.

Insert a Trojan horse into the C: drive of the web server

C.

Directory listing of the C:\windows\system32 folder on the web server

D.

Directory listing of C: drive on the web server

Full Access
Question # 58

What is the target host IP in the following command?

412-79 question answer

A.

Firewalk does not scan target hosts

B.

172.16.28.95

C.

This command is using FIN packets, which cannot scan target hosts

D.

10.10.150.1

Full Access
Question # 59

Click on the Exhibit Button

Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client about necessary changes need to be made. From the screenshot, what changes should the client company make?

Exhibit:

412-79 question answer

A.

The banner should not state "only authorized IT personnel may proceed"

B.

Remove any identifying numbers, names, or version information

C.

The banner should have more detail on the version numbers for the network equipment

D.

The banner should include the Cisco tech support contact information as well

Full Access
Question # 60

What are the security risks of running a "repair" installation for Windows XP?

A.

Pressing Shift+F10 gives the user administrative rights

B.

Pressing Ctrl+F10 gives the user administrative rights

C.

There are no security risks when running the "repair" installation for Windows XP

D.

Pressing Shift+F1 gives the user administrative rights

Full Access
Question # 61

You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls (Select 2)

A.

162

B.

160

C.

161

D.

163

Full Access
Question # 62

You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers:

http://172.168.4.131/level/99/exec/show/config

After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?

A.

URL Obfuscation Arbitrary Administrative Access Vulnerability

B.

Cisco IOS Arbitrary Administrative Access Online Vulnerability

C.

HTTP Configuration Arbitrary Administrative Access Vulnerability

D.

HTML Configuration Arbitrary Administrative Access Vulnerability

Full Access
Question # 63

Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file?

A.

%systemroot%\system32\drivers\etc

B.

%systemroot%\repair

C.

%systemroot%\LSA

D.

%systemroot%\system32\LSA

Full Access
Question # 64

You are running through a series of tests on your network to check for any security vulnerabilities. After normal working hours, you initiate a DoS attack against your external firewall. The firewall quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

A.

The firewall failed-open

B.

The firewall failed-bypass

C.

The firewall failed-closed

D.

The firewall ACL has been purged

Full Access
Question # 65

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

A.

intitle:"exchange server"

B.

outlook:"search"

C.

locate:"logon page"

D.

allinurl:"exchange/logon.asp"

Full Access
Question # 66

What will the following command produce on a website login page?What will the following command produce on a website? login page?

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'someone@somehwere.com'; DROP TABLE members; --'

A.

This command will not produce anything since the syntax is incorrect

B.

Inserts the Error! Reference source not found. email address into the members table

C.

Retrieves the password for the first user in the members table

D.

Deletes the entire members table

Full Access
Question # 67

Software firewalls work at which layer of the OSI model?

A.

Transport

B.

Application

C.

Network

D.

Data Link

Full Access
Question # 68

You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?

A.

Poison the DNS records with false records

B.

Enumerate MX and A records from DNS

C.

Enumerate domain user accounts and built-in groups

D.

Establish a remote connection to the Domain Controller

Full Access
Question # 69

John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?

A.

Firewalk sets all packets with a TTL of zero

B.

Firewalk cannot pass through Cisco firewalls

C.

Firewalk sets all packets with a TTL of one

D.

Firewalk cannot be detected by network sniffers

Full Access