New Year Special - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: spcl70

EC0-350 PDF

$33

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

EC0-350 PDF + Testing Engine

$52.8

$175.99

3 Months Free Update

  • Exam Name: Ethical Hacking and Countermeasures V8
  • Last Update: Jan 13, 2025
  • Questions and Answers: 878
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

EC0-350 Engine

$39.6

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

EC0-350 Practice Exam Questions with Answers Ethical Hacking and Countermeasures V8 Certification

Question # 6

You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

A.

Stealth scan

B.

Connect scan

C.

Fragmented packet scan

D.

XMAS scan

Full Access
Question # 7

In the software security development life cyle process, threat modeling occurs in which phase?

A.

Design

B.

Requirements

C.

Verification

D.

Implementation

Full Access
Question # 8

Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.

EC0-350 question answer

EC0-350 question answer

How will you defend against hardware keyloggers when using public computers and Internet Kiosks? (Select 4 answers)

A.

Alternate between typing the login credentials and typing characters somewhere else in the focus window

B.

Type a wrong password first, later type the correct password on the login page defeating the keylogger recording

C.

Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter.

D.

The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd".

Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies

"asdfsd"

E.

The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd".

Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies

"asdfsd"

Full Access
Question # 9

A covert channel is a channel that

A.

transfers information over, within a computer system, or network that is outside of the security policy.

B.

transfers information over, within a computer system, or network that is within the security policy.

C.

transfers information via a communication path within a computer system, or network for transfer of data.

D.

transfers information over, within a computer system, or network that is encrypted.

Full Access
Question # 10

Lauren is performing a network audit for her entire company. The entire network is comprised of around 500 computers. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses?

A.

Only Windows systems will reply to this scan.

B.

A switched network will not respond to packets sent to the broadcast address.

C.

Only Linux and Unix-like (Non-Windows) systems will reply to this scan.

D.

Only servers will reply to this scan.

Full Access
Question # 11

During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?

A.

Host

B.

Stateful

C.

Stateless

D.

Application

Full Access
Question # 12

Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?

A.

Hayden is attempting to find live hosts on her company's network by using an XMAS scan

B.

She is utilizing a SYN scan to find live hosts that are listening on her network

C.

The type of scan, she is using is called a NULL scan

D.

Hayden is using a half-open scan to find live hosts on her network

Full Access
Question # 13

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.

John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:

EC0-350 question answer

What kind of attack did the Hacker attempt to carry out at the bank?

A.

Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.

B.

The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

C.

The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.

D.

The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.

Full Access
Question # 14

Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet?

A.

Port 1890 (Net-Devil Trojan)

B.

Port 1786 (Net-Devil Trojan)

C.

Port 1909 (Net-Devil Trojan)

D.

Port 6667 (Net-Devil Trojan)

Full Access
Question # 15

One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out?

Select the best answers.

A.

John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case.

B.

BY using NTLMV1, you have implemented an effective countermeasure to password cracking.

C.

SYSKEY is an effective countermeasure.

D.

If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899.

E.

Enforcing Windows complex passwords is an effective countermeasure.

Full Access
Question # 16

In which part of OSI layer, ARP Poisoning occurs?

EC0-350 question answer

A.

Transport Layer

B.

Datalink Layer

C.

Physical Layer

D.

Application layer

Full Access
Question # 17

Which types of detection methods are employed by Network Intrusion Detection Systems (NIDS)? (Choose two.)

A.

Signature

B.

Anomaly

C.

Passive

D.

Reactive

Full Access
Question # 18

Which Steganography technique uses Whitespace to hide secret messages?

A.

snow

B.

beetle

C.

magnet

D.

cat

Full Access
Question # 19

Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access.

EC0-350 question answer

Identify the correct statement related to the above Web Server installation?

A.

Lack of proper security policy, procedures and maintenance

B.

Bugs in server software, OS and web applications

C.

Installing the server with default settings

D.

Unpatched security flaws in the server software, OS and applications

Full Access
Question # 20

Which type of password cracking technique works like dictionary attack but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

A.

Dictionary attack

B.

Brute forcing attack

C.

Hybrid attack

D.

Syllable attack

E.

Rule-based attack

Full Access
Question # 21

Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?

A.

It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.

B.

If a user forgets the password, it can be easily retrieved using the hash key stored by administrators.

C.

Hashing is faster compared to more traditional encryption algorithms.

D.

Passwords stored using hashes are non-reversible, making finding the password much more difficult.

Full Access
Question # 22

After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connection from a forged IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server. What attacks can you successfully launch against a server using the above technique?

A.

Denial of Service attacks

B.

Session Hijacking attacks

C.

Web page defacement attacks

D.

IP spoofing attacks

Full Access
Question # 23

You have the SOA presented below in your Zone. Your secondary servers have not been able to contact your primary server to synchronize information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?

collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

A.

One day

B.

One hour

C.

One week

D.

One month

Full Access
Question # 24

John wishes to install a new application onto his Windows 2000 server.

He wants to ensure that any application he uses has not been Trojaned.

What can he do to help ensure this?

A.

Compare the file's MD5 signature with the one published on the distribution media

B.

Obtain the application via SSL

C.

Compare the file's virus signature with the one published on the distribution media

D.

Obtain the application from a CD-ROM disc

Full Access
Question # 25

Which of the following tools are used for enumeration? (Choose three.)

A.

SolarWinds

B.

USER2SID

C.

Cheops

D.

SID2USER

E.

DumpSec

Full Access
Question # 26

An attacker has successfully compromised a remote computer. Which of the following comes as one of the last steps that should be taken to ensure that the compromise cannot be traced back to the source of the problem?

A.

Install patches

B.

Setup a backdoor

C.

Install a zombie for DDOS

D.

Cover your tracks

Full Access
Question # 27

Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service?

A.

Port scanning

B.

Banner grabbing

C.

Injecting arbitrary data

D.

Analyzing service response

Full Access
Question # 28

Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and FTP?

A.

Metasploit scripting engine

B.

Nessus scripting engine

C.

NMAP scripting engine

D.

SAINT scripting engine

Full Access
Question # 29

Your lab partner is trying to find out more information about a competitors web site. The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first?

A.

LACNIC

B.

ARIN

C.

APNIC

D.

RIPE

E.

AfriNIC

Full Access
Question # 30

Which of the following command line switch would you use for OS detection in Nmap?

A.

-D

B.

-O

C.

-P

D.

-X

Full Access
Question # 31

Botnets are networks of compromised computers that are controlled remotely and surreptitiously by one or more cyber criminals. How do cyber criminals infect a victim's computer with bots? (Select 4 answers)

A.

Attackers physically visit every victim's computer to infect them with malicious software

B.

Home computers that have security vulnerabilities are prime targets for botnets

C.

Spammers scan the Internet looking for computers that are unprotected and use these "open-doors" to install malicious software

D.

Attackers use phishing or spam emails that contain links or attachments

E.

Attackers use websites to host the bots utilizing Web Browser vulnerabilities

Full Access
Question # 32

While reviewing the result of scanning run against a target network you come across the following:

EC0-350 question answer

Which among the following can be used to get this output?

A.

A Bo2k system query.

B.

nmap protocol scan

C.

A sniffer

D.

An SNMP walk

Full Access
Question # 33

A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:

Untrust (Internet) – (Remote network = 217.77.88.0/24)

DMZ (DMZ) – (11.12.13.0/24)

Trust (Intranet) – (192.168.0.0/24)

The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?

A.

Permit  217.77.88.0/24  11.12.13.0/24 RDP 3389

B.

Permit  217.77.88.12    11.12.13.50     RDP 3389

C.

Permit  217.77.88.12    11.12.13.0/24 RDP 3389

D.

Permit  217.77.88.0/24  11.12.13.50     RDP 3389

Full Access
Question # 34

Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities?

A.

WebBugs

B.

WebGoat

C.

VULN_HTML

D.

WebScarab

Full Access
Question # 35

How can rainbow tables be defeated?

A.

Password salting

B.

Use of non-dictionary words

C.

All uppercase character passwords

D.

Lockout accounts under brute force password cracking attempts

Full Access
Question # 36

A security consultant decides to use multiple layers of anti-virus defense, such as end user desktop anti-virus and E-mail gateway.  This approach can be used to mitigate which kind of attack?

A.

Forensic attack

B.

ARP spoofing attack

C.

Social engineering attack

D.

Scanning attack

Full Access
Question # 37

The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers.  What should the security team do to determine which alerts to check first?

A.

Investigate based on the maintenance schedule of the affected systems.

B.

Investigate based on the service level agreements of the systems.

C.

Investigate based on the potential effect of the incident.

D.

Investigate based on the order that the alerts arrived in.

Full Access
Question # 38

A bank stores and processes sensitive privacy information related to home loans.  However, auditing has never been enabled on the system.  What is the first step that the bank should take before enabling the audit feature?

A.

Perform a vulnerability scan of the system.

B.

Determine the impact of enabling the audit feature.

C.

Perform a cost/benefit analysis of the audit feature.

D.

Allocate funds for staffing of audit log review.

Full Access
Question # 39

What statement is true regarding LM hashes?

A.

LM hashes consist in 48 hexadecimal characters.

B.

LM hashes are based on AES128 cryptographic standard.

C.

Uppercase characters in the password are converted to lowercase.

D.

LM hashes are not generated when the password length exceeds 15 characters.

Full Access
Question # 40

Windows file servers commonly hold sensitive files, databases, passwords and more.  Which of the following choices would be a common vulnerability that usually exposes them?

A.

Cross-site scripting

B.

SQL injection

C.

Missing patches

D.

CRLF injection

Full Access
Question # 41

A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?

A.

Spoofing an IP address

B.

Tunneling scan over SSH

C.

Tunneling over high port numbers

D.

Scanning using fragmented IP packets

Full Access
Question # 42

Smart cards use which protocol to transfer the certificate in a secure manner?

A.

Extensible Authentication Protocol (EAP)

B.

Point to Point Protocol (PPP)

C.

Point to Point Tunneling Protocol (PPTP)

D.

Layer 2 Tunneling Protocol (L2TP)

Full Access
Question # 43

A corporation hired an ethical hacker to test if it is possible to obtain users' login credentials using methods other than social engineering. Access to offices and to a network node is granted.  Results from server scanning indicate all are adequately patched and physical access is denied, thus, administrators have access only through Remote Desktop. Which technique could be used to obtain login credentials?

A.

Capture every users' traffic with Ettercap.

B.

Capture LANMAN Hashes and crack them with LC6.

C.

Guess passwords using Medusa or Hydra against a network service.

D.

Capture administrators RDP traffic and decode it with Cain and Abel.

Full Access
Question # 44

The use of technologies like IPSec can help guarantee the followinG. authenticity, integrity, confidentiality and

A.

non-repudiation.

B.

operability.

C.

security.

D.

usability.

Full Access
Question # 45

International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining

A.

guidelines and practices for security controls.

B.

financial soundness and business viability metrics.

C.

standard best practice for configuration management.

D.

contract agreement writing standards.

Full Access
Question # 46

When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy?

A.

A bottom-up approach

B.

A top-down approach

C.

A senior creation approach

D.

An IT assurance approach

Full Access
Question # 47

Which of the following is an application that requires a host application for replication?

A.

Micro

B.

Worm

C.

Trojan

D.

Virus

Full Access
Question # 48

EC0-350 question answer

An attacker finds a web page for a target organization that supplies contact information for the company. Using available details to make the message seem authentic, the attacker drafts e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator.

The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming.

Google's Gmail was hacked using this technique and attackers stole source code and sensitive data from Google servers. This is highly sophisticated attack using zero-day exploit vectors, social engineering and malware websites that focused on targeted individuals working for the company.

What is this deadly attack called?

A.

Spear phishing attack

B.

Trojan server attack

C.

Javelin attack

D.

Social networking attack

Full Access
Question # 49

How does traceroute map the route a packet travels from point A to point B?

A.

Uses a TCP timestamp packet that will elicit a time exceeded in transit message

B.

Manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message

C.

Uses a protocol that will be rejected by gateways on its way to the destination

D.

Manipulates the flags within packets to force gateways into generating error messages

Full Access
Question # 50

What does FIN in TCP flag define?

A.

Used to abort a TCP connection abruptly

B.

Used to close a TCP connection

C.

Used to acknowledge receipt of a previous packet or transmission

D.

Used to indicate the beginning of a TCP connection

Full Access
Question # 51

Neil is a network administrator working in Istanbul. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main office switch. What type of port will Neil need to setup in order to accomplish this?

A.

Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer.

B.

Neil will need to setup SPAN port that will copy all network traffic to the protocol analyzer.

C.

He will have to setup an Ether channel port to get a copy of all network traffic to the analyzer.

D.

He should setup a MODS port which will copy all network traffic.

Full Access
Question # 52

You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'?

A.

display==facebook

B.

traffic.content==facebook

C.

tcp contains facebook

D.

list.display.facebook

Full Access
Question # 53

Which definition among those given below best describes a covert channel?

A.

A server program using a port that is not well known.

B.

Making use of a protocol in a way it is not intended to be used.

C.

It is the multiplexing taking place on a communication link.

D.

It is one of the weak channels used by WEP which makes it insecure.

Full Access
Question # 54

Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products?

A.

Covert keylogger

B.

Stealth keylogger

C.

Software keylogger

D.

Hardware keylogger

Full Access
Question # 55

Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Tess King is trying to accomplish? Select the best answer.

A.

A zone harvesting

B.

A zone transfer

C.

A zone update

D.

A zone estimate

Full Access
Question # 56

You want to use netcat to generate huge amount of useless network data continuously for various performance testing between 2 hosts.

Which of the following commands accomplish this?

A.

Machine A

#yes AAAAAAAAAAAAAAAAAAAAAA | nc –v –v –l –p 2222 > /dev/null

Machine B

#yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null

B.

Machine A

cat somefile | nc –v –v –l –p 2222

Machine B

cat somefile | nc othermachine 2222

C.

Machine A

nc –l –p 1234 | uncompress –c | tar xvfp

Machine B

tar cfp - /some/dir | compress –c | nc –w 3 machinea 1234

D.

Machine A

while true : do

nc –v –l –s –p 6000 machineb 2

Machine B

while true ; do

nc –v –l –s –p 6000 machinea 2

done

Full Access
Question # 57

Exhibit:

EC0-350 question answer

You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?

A.

ip = 10.0.0.22

B.

ip.src == 10.0.0.22

C.

ip.equals 10.0.0.22

D.

ip.address = 10.0.0.22

Full Access
Question # 58

Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack?

A.

Timestamps

B.

SMB Signing

C.

File permissions

D.

Sequence numbers monitoring

Full Access
Question # 59

Ethereal works best on ____________.

A.

Switched networks

B.

Linux platforms

C.

Networks using hubs

D.

Windows platforms

E.

LAN's

Full Access
Question # 60

A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it?

Select the best answers.

A.

Use port security on his switches.

B.

Use a tool like ARPwatch to monitor for strange ARP activity.

C.

Use a firewall between all LAN segments.

D.

If you have a small network, use static ARP entries.

E.

Use only static IP addresses on all PC's.

Full Access
Question # 61

How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network?

A.

Covert Channel

B.

Crafted Channel

C.

Bounce Channel

D.

Deceptive Channel

Full Access
Question # 62

Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?

A.

Snort

B.

argus

C.

TCPflow

D.

Tcpdump

Full Access
Question # 63

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers.

A.

Use the same machines for DNS and other applications

B.

Harden DNS servers

C.

Use split-horizon operation for DNS servers

D.

Restrict Zone transfers

E.

Have subnet diversity between DNS servers

Full Access
Question # 64

What did the following commands determine?

C: user2sid \earth guest

S-1-5-21-343818398-789336058-1343024091-501

C:sid2user 5 21 343818398 789336058 1343024091 500

Name is Joe

Domain is EARTH

A.

That the Joe account has a SID of 500

B.

These commands demonstrate that the guest account has NOT been disabled

C.

These commands demonstrate that the guest account has been disabled

D.

That the true administrator is Joe

E.

Issued alone, these commands prove nothing

Full Access
Question # 65

A zone file consists of which of the following Resource Records (RRs)?

A.

DNS, NS, AXFR, and MX records

B.

DNS, NS, PTR, and MX records

C.

SOA, NS, AXFR, and MX records

D.

SOA, NS, A, and MX records

Full Access
Question # 66

Exhibit:

ettercap –NCLzs --quiet

What does the command in the exhibit do in “Ettercap”?

A.

This command will provide you the entire list of hosts in the LAN

B.

This command will check if someone is poisoning you and will report its IP.

C.

This command will detach from console and log all the collected passwords from the network to a file.

D.

This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

Full Access
Question # 67

Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network. Which of these tools would do the SNMP enumeration he is looking for?

Select the best answers.

A.

SNMPUtil

B.

SNScan

C.

SNMPScan

D.

Solarwinds IP Network Browser

E.

NMap

Full Access
Question # 68

Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally. He enters the following at the command prompt.

$ nc -l -p 1026 -u -v

In response, he sees the following message.

cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found 47 Critical Errors.

To fix the errors please do the following:

1. Download Registry Repair from: www.reg-patch.com

2. Install Registry Repair

3. Run Registry Repair

4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

What would you infer from this alert?

A.

The machine is redirecting traffic to www.reg-patch.com using adware

B.

It is a genuine fault of windows registry and the registry needs to be backed up

C.

An attacker has compromised the machine and backdoored ports 1026 and 1027

D.

It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legitimate utilities

Full Access
Question # 69

ARP poisoning is achieved in _____ steps

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 70

_________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

A.

Trojan

B.

RootKit

C.

DoS tool

D.

Scanner

E.

Backdoor

Full Access
Question # 71

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

A.

Birthday

B.

Brute force

C.

Man-in-the-middle

D.

Smurf

Full Access
Question # 72

Which of the following statements about a zone transfer correct?(Choose three.

A.

A zone transfer is accomplished with the DNS

B.

A zone transfer is accomplished with the nslookup service

C.

A zone transfer passes all zone information that a DNS server maintains

D.

A zone transfer passes all zone information that a nslookup server maintains

E.

A zone transfer can be prevented by blocking all inbound TCP port 53 connections

F.

Zone transfers cannot occur on the Internet

Full Access
Question # 73

While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective?

A.

Block port 25 at the firewall.

B.

Shut off the SMTP service on the server.

C.

Force all connections to use a username and password.

D.

Switch from Windows Exchange to UNIX Sendmail.

E.

None of the above.

Full Access
Question # 74

Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three)

A.

Converts passwords to uppercase.

B.

Hashes are sent in clear text over the network.

C.

Makes use of only 32 bit encryption.

D.

Effective length is 7 characters.

Full Access
Question # 75

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two.

What would you call this attack?

A.

Interceptor

B.

Man-in-the-middle

C.

ARP Proxy

D.

Poisoning Attack

Full Access
Question # 76

Fingerprinting an Operating System helps a cracker because:

A.

It defines exactly what software you have installed

B.

It opens a security-delayed window based on the port being scanned

C.

It doesn't depend on the patches that have been applied to fix existing security holes

D.

It informs the cracker of which vulnerabilities he may be able to exploit on your system

Full Access
Question # 77

Susan has attached to her company’s network. She has managed to synchronize her boss’s sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory. What kind of attack is Susan carrying on?

A.

A sniffing attack

B.

A spoofing attack

C.

A man in the middle attack

D.

A denial of service attack

Full Access
Question # 78

Global deployment of RFC 2827 would help mitigate what classification of attack?

A.

Sniffing attack

B.

Denial of service attack

C.

Spoofing attack

D.

Reconnaissance attack

E.

Prot Scan attack

Full Access
Question # 79

What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply.

A.

110

B.

135

C.

139

D.

161

E.

445

F.

1024

Full Access
Question # 80

Which of the following is an example of two factor authentication?

A.

PIN Number and Birth Date

B.

Username and Password

C.

Digital Certificate and Hardware Token

D.

Fingerprint and Smartcard ID

Full Access
Question # 81

Exhibit:

EC0-350 question answer

Study the following log extract and identify the attack.

A.

Hexcode Attack

B.

Cross Site Scripting

C.

Multiple Domain Traversal Attack

D.

Unicode Directory Traversal Attack

Full Access
Question # 82

For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key?

A.

Sender's public key

B.

Receiver's private key

C.

Receiver's public key

D.

Sender's private key

Full Access
Question # 83

Which type of scan is used on the eye to measure the layer of blood vessels?

A.

Facial recognition scan

B.

Retinal scan

C.

Iris scan

D.

Signature kinetics scan

Full Access
Question # 84

How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

A.

Defeating the scanner from detecting any code change at the kernel

B.

Replacing patch system calls with its own version that hides the rootkit (attacker's) actions

C.

Performing common services for the application process and replacing real applications with fake ones

D.

Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options

Full Access
Question # 85

A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying.  What actions should the CEH take?

A.

Threaten to publish the penetration test results if not paid.

B.

Follow proper legal procedures against the company to request payment.

C.

Tell other customers of the financial problems with payments from this company.

D.

Exploit some of the vulnerabilities found on the company webserver to deface it.

Full Access
Question # 86

Which of the following problems can be solved by using Wireshark?

A.

Tracking version changes of source code

B.

Checking creation dates on all webpages on a server

C.

Resetting the administrator password on multiple systems

D.

Troubleshooting communication resets between two systems

Full Access
Question # 87

A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80.

The engineer receives this output:

HTTP/1.1 200 OK

Server: Microsoft-IIS/6

Expires: Tue, 17 Jan 2011 01:41:33 GMT

DatE. Mon, 16 Jan 2011 01:41:33 GMT

Content-TypE. text/html

Accept-Ranges: bytes

Last-ModifieD. Wed, 28 Dec 2010 15:32:21 GMT

ETaG. "b0aac0542e25c31:89d"

Content-Length: 7369

Which of the following is an example of what the engineer performed?

A.

Cross-site scripting

B.

Banner grabbing

C.

SQL injection

D.

Whois database query

Full Access
Question # 88

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.  Which of the following is the correct bit size of the Diffie-Hellman (DH) group 5?

A.

768 bit key

B.

1025 bit key

C.

1536 bit key

D.

2048 bit key

Full Access
Question # 89

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:

Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

What type of activity has been logged?

A.

Port scan targeting 192.168.1.103

B.

Teardrop attack targeting 192.168.1.106

C.

Denial of service attack targeting 192.168.1.103

D.

Port scan targeting 192.168.1.106

Full Access
Question # 90

A circuit level gateway works at which of the following layers of the OSI Model?

A.

 Layer 5 - Application

B.

Layer 4 – TCP

C.

Layer 3 – Internet protocol

D.

Layer 2 – Data link

Full Access
Question # 91

Which of the following is an example of IP spoofing?

A.

SQL injections

B.

Man-in-the-middle

C.

Cross-site scripting

D.

ARP poisoning

Full Access
Question # 92

Which of the following programs is usually targeted at Microsoft Office products?

A.

Polymorphic virus

B.

Multipart virus

C.

Macro virus

D.

Stealth virus

Full Access
Question # 93

The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

A.

Multiple keys for non-repudiation of bulk data

B.

Different keys on both ends of the transport medium

C.

Bulk encryption for data transmission over fiber

D.

The same key on each end of the transmission medium

Full Access
Question # 94

Which of the following is an example of an asymmetric encryption implementation?

A.

SHA1

B.

PGP

C.

3DES

D.

MD5

Full Access
Question # 95

A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

Starting NMAP 5.21 at 2011-03-15 11:06

NMAP scan report for 172.16.40.65

Host is up (1.00s latency).

Not shown: 993 closed ports

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

139/tcp open netbios-ssn

515/tcp open

631/tcp open  ipp

9100/tcp open

MAC Address: 00:00:48:0D:EE:89

A.

The host is likely a Windows machine.

B.

The host is likely a Linux machine.

C.

The host is likely a router.

D.

The host is likely a printer.

Full Access
Question # 96

There is a WEP encrypted wireless access point (AP) with no clients connected. In order to crack the WEP key, a fake authentication needs to be performed. What information is needed when performing fake authentication to an AP? (Choose two.)

A.

The IP address of the AP

B.

The MAC address of the AP

C.

The SSID of the wireless network

D.

A failed authentication packet

Full Access
Question # 97

How does an operating system protect the passwords used for account logins?

A.

The operating system performs a one-way hash of the passwords.

B.

The operating system stores the passwords in a secret file that users cannot find.

C.

The operating system encrypts the passwords, and decrypts them when needed.

D.

The operating system stores all passwords in a protected segment of non-volatile memory.

Full Access
Question # 98

Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker?

A.

DataThief

B.

NetCat

C.

Cain and Abel

D.

SQLInjector

Full Access
Question # 99

You generate MD5 128-bit hash on all files and folders on your computer to keep a baseline check for security reasons?

EC0-350 question answer

What is the length of the MD5 hash?

A.

32 character

B.

64 byte

C.

48 char

D.

128 kb

Full Access
Question # 100

XSS attacks occur on Web pages that do not perform appropriate bounds checking on data entered by users. Characters like < > that mark the beginning/end of a tag should be converted into HTML entities.

EC0-350 question answer

EC0-350 question answer

What is the correct code when converted to html entities?

EC0-350 question answer

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 101

Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A and Company B trust one another and each private PKI can validate digital certificates from the other company?

A.

Poly key exchange

B.

Cross certification

C.

Poly key reference

D.

Cross-site exchange

Full Access
Question # 102

Which statement is TRUE regarding network firewalls preventing Web Application attacks?

A.

Network firewalls can prevent attacks because they can detect malicious HTTP traffic.

B.

Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.

C.

Network firewalls can prevent attacks if they are properly configured.

D.

Network firewalls cannot prevent attacks because they are too complex to configure.

Full Access
Question # 103

A botnet can be managed through which of the following?

A.

IRC

B.

E-Mail

C.

Linkedin and Facebook

D.

A vulnerable FTP server

Full Access
Question # 104

Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11?

A.

Truecrypt

B.

Sub7

C.

Nessus

D.

Clamwin

Full Access
Question # 105

Which of the following does proper basic configuration of snort as a network intrusion detection system require?

A.

Limit the packets captured to the snort configuration file.

B.

Capture every packet on the network segment.

C.

Limit the packets captured to a single segment.

D.

Limit the packets captured to the /var/log/snort directory.

Full Access
Question # 106

A penetration tester is hired to do a risk assessment of a company's DMZ.  The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems.  What kind of test is being performed?

A.

white box

B.

grey box

C.

red box

D.

black box

Full Access
Question # 107

Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?

A.

They are written in Java.

B.

They send alerts to security monitors.

C.

They use the same packet analysis engine.

D.

They use the same packet capture utility.

Full Access
Question # 108

Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?

A.

Cavity virus

B.

Polymorphic virus

C.

Tunneling virus

D.

Stealth virus

Full Access
Question # 109

Which of the following levels of algorithms does Public Key Infrastructure (PKI) use?

A.

RSA 1024 bit strength

B.

AES 1024 bit strength

C.

RSA 512 bit strength

D.

AES 512 bit strength

Full Access
Question # 110

Which of the following techniques will identify if computer files have been changed?

A.

Network sniffing

B.

Permission sets

C.

Integrity checking hashes

D.

Firewall alerts

Full Access
Question # 111

What are common signs that a system has been compromised or hacked? (Choose three.)

A.

Increased amount of failed logon events

B.

Patterns in time gaps in system and/or event logs

C.

New user accounts created

D.

Consistency in usage baselines

E.

Partitions are encrypted

F.

Server hard drives become fragmented

Full Access
Question # 112

What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data?

A.

Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient communication.

B.

To get messaging programs to function with this algorithm requires complex configurations.

C.

It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data.

D.

It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message.

Full Access
Question # 113

A company has publicly hosted web applications and an internal Intranet protected by a firewall.  Which technique will help protect against enumeration?

A.

Reject all invalid email received via SMTP.

B.

Allow full DNS zone transfers.

C.

Remove A records for internal hosts.

D.

Enable null session pipes.

Full Access
Question # 114

Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall?

A.

UDP 123

B.

UDP 541

C.

UDP 514

D.

UDP 415

Full Access
Question # 115

A company has hired a security administrator to maintain and administer Linux and Windows-based systems. Written in the nightly report file is the followinG.

Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.

Which of the following actions should the security administrator take?

A.

Log the event as suspicious activity and report this behavior to the incident response team immediately.

B.

Log the event as suspicious activity, call a manager, and report this as soon as possible.

C.

Run an anti-virus scan because it is likely the system is infected by malware.

D.

Log the event as suspicious activity, continue to investigate, and act according to the site's security policy.

Full Access
Question # 116

While checking the settings on the internet browser, a technician finds that the proxy server settings have been checked and a computer is trying to use itself as a proxy server.  What specific octet within the subnet does the technician see?

A.

10.10.10.10

B.

127.0.0.1

C.

192.168.1.1

D.

192.168.168.168

Full Access
Question # 117

A recently hired network security associate at a local bank was given the responsibility to perform daily scans of the internal network to look for unauthorized devices. The employee decides to write a script that will scan the network for unauthorized devices every morning at 5:00 am.

Which of the following programming languages would most likely be used?

A.

PHP

B.

C#

C.

Python

D.

ASP.NET

Full Access
Question # 118

Which of the following open source tools would be the best choice to scan a network for potential targets?

A.

NMAP

B.

NIKTO

C.

CAIN

D.

John the Ripper

Full Access
Question # 119

John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool?

A.

hping2

B.

nessus

C.

nmap

D.

make

Full Access
Question # 120

Identify SQL injection attack from the HTTP requests shown below:

A.

http://www.myserver.c0m/search.asp?

lname=smith%27%3bupdate%20usertable%20set%20passwd%3d%27hAx0r%27%3b--%00

B.

http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22

C.

http%3a%2f%2fwww.yourserver.c0m%2fbadscript.js%22%3e%3c%2fscript%3e

D.

http://www.victim.com/example accountnumber=67891 &creditamount=999999999

Full Access
Question # 121

You receive an email with the following message:

Hello Steve,

We are having technical difficulty in restoring user database record after the recent blackout. Your account data is corrupted. Please logon to the SuperEmailServices.com and change your password.

http://www.supermailservices.com@0xde.0xad.0xbe.0xef/support/logon.htm

If you do not reset your password within 7 days, your account will be permanently disabled locking you out from our e-mail services.

Sincerely,

Technical Support

SuperEmailServices

From this e-mail you suspect that this message was sent by some hacker since you have been using their e-mail services for the last 2 years and they have never sent out an e-mail such as this. You also observe the URL in the message and confirm your suspicion about 0xde.0xad.0xbde.0xef which looks like hexadecimal numbers. You immediately enter the following at Windows 2000 command prompt:

Ping 0xde.0xad.0xbe.0xef

You get a response with a valid IP address.

What is the obstructed IP address in the e-mail URL?

A.

222.173.190.239

B.

233.34.45.64

C.

54.23.56.55

D.

199.223.23.45

Full Access
Question # 122

What is the following command used for?

net use \targetipc$ "" /u:""

A.

Grabbing the etc/passwd file

B.

Grabbing the SAM

C.

Connecting to a Linux computer through Samba.

D.

This command is used to connect as a null session

E.

Enumeration of Cisco routers

Full Access
Question # 123

Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around, but the program he is using does not seem to be capturing anything. He pours through the Sniffer's manual, but cannot find anything that directly relates to his problem. Harold decides to ask the network administrator if he has any thoughts on the problem. Harold is told that the Sniffer was not working because the agency's network is a switched network, which cannot be sniffed by some programs without some tweaking. What technique could Harold use to sniff his agency's switched network?

A.

ARP spoof the default gateway

B.

Conduct MiTM against the switch

C.

Launch smurf attack against the switch

D.

Flood the switch with ICMP packets

Full Access
Question # 124

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

A.

An attacker, working slowly enough, can evade detection by the IDS.

B.

Network packets are dropped if the volume exceeds the threshold.

C.

Thresholding interferes with the IDS’ ability to reassemble fragmented packets.

D.

The IDS will not distinguish among packets originating from different sources.

Full Access
Question # 125

Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

A.

Key registry

B.

Recovery agent

C.

Directory

D.

Key escrow

Full Access
Question # 126

To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here?

A.

Winston is attempting to find live hosts on your company's network by using an XMAS scan.

B.

He is utilizing a SYN scan to find live hosts that are listening on your network.

C.

This type of scan he is using is called a NULL scan.

D.

He is using a half-open scan to find live hosts on your network.

Full Access
Question # 127

Why attackers use proxy servers?

A.

To ensure the exploits used in the attacks always flip reverse vectors

B.

Faster bandwidth performance and increase in attack speed

C.

Interrupt the remote victim's network traffic and reroute the packets to attackers machine

D.

To hide the source IP address so that an attacker can hack without any legal corollary

Full Access
Question # 128

Trojan horse attacks pose one of the most serious threats to computer security. The image below shows different ways a Trojan can get into a system. Which are the easiest and most convincing ways to infect a computer?

EC0-350 question answer

A.

IRC (Internet Relay Chat)

B.

Legitimate "shrink-wrapped" software packaged by a disgruntled employee

C.

NetBIOS (File Sharing)

D.

Downloading files, games and screensavers from Internet sites

Full Access
Question # 129

The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)

A.

Enable SNMPv3 which encrypts username/password authentication

B.

Use your company name as the public community string replacing the default 'public'

C.

Enable IP filtering to limit access to SNMP device

D.

The default configuration provided by device vendors is highly secure and you don't need to change anything

Full Access
Question # 130

An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system. What could be the reason?

A.

The firewall is blocking port 23 to that system

B.

He needs to use an automated tool to telnet in

C.

He cannot spoof his IP and successfully use TCP

D.

He is attacking an operating system that does not reply to telnet even when open

Full Access
Question # 131

One way to defeat a multi-level security solution is to leak data via

A.

a bypass regulator.

B.

steganography.

C.

a covert channel.

D.

asymmetric routing.

Full Access
Question # 132

What is the main disadvantage of the scripting languages as opposed to compiled programming languages?

A.

Scripting languages are hard to learn.

B.

Scripting languages are not object-oriented.

C.

Scripting languages cannot be used to create graphical user interfaces.

D.

Scripting languages are slower because they require an interpreter to run the code.

Full Access
Question # 133

What type of port scan is represented here.

EC0-350 question answer

A.

Stealth Scan

B.

Full Scan

C.

XMAS Scan

D.

FIN Scan

Full Access
Question # 134

Jake is a network administrator who needs to get reports from all the computer and network devices on his network. Jake wants to use SNMP but is afraid that won't be secure since passwords and messages are in clear text. How can Jake gather network information in a secure manner?

A.

He can use SNMPv3

B.

Jake can use SNMPrev5

C.

He can use SecWMI

D.

Jake can use SecSNMP

Full Access
Question # 135

Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?

A.

The initial traffic from 192.168.12.35 was being spoofed.

B.

The traffic from 192.168.12.25 is from a Linux computer.

C.

The TTL of 21 means that the client computer is on wireless.

D.

The client computer at 192.168.12.35 is a zombie computer.

Full Access
Question # 136

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?

A.

Drops the packet and moves on to the next one

B.

Continues to evaluate the packet until all rules are checked

C.

Stops checking rules, sends an alert, and lets the packet continue

D.

Blocks the connection with the source IP address in the packet

Full Access
Question # 137

Which of the following processes evaluates the adherence of an organization to its stated security policy?

A.

Vulnerability assessment

B.

Penetration testing

C.

Risk assessment

D.

Security auditing

Full Access
Question # 138

Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company's entrance doors and follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Neil employed here?

A.

Neil has used a tailgating social engineering attack to gain access to the offices

B.

He has used a piggybacking technique to gain unauthorized access

C.

This type of social engineering attack is called man trapping

D.

Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics

Full Access
Question # 139

Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest?

A.

MD5

B.

SHA-1

C.

RC4

D.

MD4

Full Access
Question # 140

Advanced encryption standard is an algorithm used for which of the following?

A.

Data integrity

B.

Key discovery

C.

Bulk data encryption

D.

Key recovery

Full Access
Question # 141

Which of the following is a client-server tool utilized to evade firewall inspection?

A.

tcp-over-dns

B.

kismet

C.

nikto

D.

hping

Full Access
Question # 142

WPA2 uses AES for wireless data encryption at which of the following encryption levels?

A.

64 bit and CCMP

B.

128 bit and CRC

C.

128 bit and CCMP

D.

128 bit and TKIP

Full Access
Question # 143

Fingerprinting VPN firewalls is possible with which of the following tools?

A.

Angry IP

B.

Nikto

C.

Ike-scan

D.

Arp-scan

Full Access
Question # 144

Which system consists of a publicly available set of databases that contain domain name registration contact information?

A.

WHOIS

B.

IANA 

C.

CAPTCHA

D.

IETF

Full Access
Question # 145

When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the Source IP address and Destination IP address are the same. There have been no alerts sent via email or logged in the IDS. Which type of an alert is this?

A.

False positive

B.

False negative

C.

True positive

D.

True negative

Full Access
Question # 146

An NMAP scan of a server shows port 69 is open. What risk could this pose?

A.

Unauthenticated access

B.

Weak SSL version

C.

Cleartext login

D.

Web portal data leak

Full Access
Question # 147

A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company’s internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur?

A.

SSL

B.

Mutual authentication

C.

IPSec

D.

Static IP addresses

Full Access
Question # 148

A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions.

On further research, the tester come across a perl script that runs the following msadc functions:system("perl msadc.pl -h $host -C \"echo open $your >testfile\""); 

EC0-350 question answer

Which exploit is indicated by this script?

A.

A buffer overflow exploit

B.

A chained exploit

C.

A SQL injection exploit

D.

A denial of service exploit

Full Access
Question # 149

Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports?

A.

Sarbanes-Oxley Act (SOX)

B.

Gramm-Leach-Bliley Act (GLBA)

C.

Fair and Accurate Credit Transactions Act (FACTA)

D.

Federal Information Security Management Act (FISMA)

Full Access
Question # 150

Which property ensures that a hash function will not produce the same hashed value for two different messages?

A.

Collision resistance

B.

Bit length

C.

Key strength

D.

Entropy

Full Access
Question # 151

Which of the following business challenges could be solved by using a vulnerability scanner?

A.

Auditors want to discover if all systems are following a standard naming convention.

B.

A web server was compromised and management needs to know if any further systems were compromised.

C.

There is an emergency need to remove administrator access from multiple machines for an employee that quit.

D.

There is a monthly requirement to test corporate compliance with host application usage and security policies.

Full Access
Question # 152

What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected?

EC0-350 question answer

A.

nc -port 56 -s cmd.exe

B.

nc -p 56 -p -e shell.exe

C.

nc -r 56 -c cmd.exe

D.

nc -L 56 -t -e cmd.exe

Full Access
Question # 153

Stephanie works as a records clerk in a large office building in downtown Chicago. On Monday, she went to a mandatory security awareness class (Security5) put on by her company's IT department. During the class, the IT department informed all employees that everyone's Internet activity was thenceforth going to be monitored.

Stephanie is worried that her Internet activity might give her supervisor reason to write her up, or worse get her fired. Stephanie's daily work duties only consume about four hours of her time, so she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet but definitely does not want to get fired for it.

What should Stephanie use so that she does not get in trouble for surfing the Internet?

A.

Stealth IE

B.

Stealth Anonymizer

C.

Stealth Firefox

D.

Cookie Disabler

Full Access
Question # 154

What type of Virus is shown here?

EC0-350 question answer

A.

Cavity Virus

B.

Macro Virus

C.

Boot Sector Virus

D.

Metamorphic Virus

E.

Sparse Infector Virus

Full Access
Question # 155

What type of attack is shown in the following diagram?

EC0-350 question answer

A.

Man-in-the-Middle (MiTM) Attack

B.

Session Hijacking Attack

C.

SSL Spoofing Attack

D.

Identity Stealing Attack

Full Access
Question # 156

Bret is a web application administrator and has just read that there are a number of surprisingly common web application vulnerabilities that can be exploited by unsophisticated attackers with easily available tools on the Internet. He has also read that when an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Bret is determined to weed out vulnerabilities.

What are some of the common vulnerabilities in web applications that he should be concerned about?

A.

Non-validated parameters, broken access control, broken account and session management, cross-site scripting and buffer overflows are just a few common vulnerabilities

B.

Visible clear text passwords, anonymous user account set as default, missing latest security patch, no firewall filters set and no SSL configured are just a few common vulnerabilities

C.

No SSL configured, anonymous user account set as default, missing latest security patch, no firewall filters set and an inattentive system administrator are just a few common vulnerabilities

D.

No IDS configured, anonymous user account set as default, missing latest security patch, no firewall filters set and visible clear text passwords are just a few common vulnerabilities

Full Access
Question # 157

What type of session hijacking attack is shown in the exhibit?

EC0-350 question answer

A.

Cross-site scripting Attack

B.

SQL Injection Attack

C.

Token sniffing Attack

D.

Session Fixation Attack

Full Access
Question # 158

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

EC0-350 question answer

The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago'

How will you delete the OrdersTable from the database using SQL Injection?

A.

Chicago'; drop table OrdersTable --

B.

Delete table'blah'; OrdersTable --

C.

EXEC; SELECT * OrdersTable > DROP --

D.

cmdshell'; 'del c:\sql\mydb\OrdersTable' //

Full Access
Question # 159

Joel and her team have been going through tons of garbage, recycled paper, and other rubbish in order to find some information about the target they are attempting to penetrate. How would you call this type of activity?

A.

Dumpster Diving

B.

Scanning

C.

CI Gathering

D.

Garbage Scooping

Full Access
Question # 160

Which type of scan does NOT open a full TCP connection?

A.

Stealth Scan

B.

XMAS Scan

C.

Null Scan

D.

FIN Scan

Full Access
Question # 161

What file system vulnerability does the following command take advantage of?

type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe

A.

HFS

B.

Backdoor access

C.

XFS

D.

ADS

Full Access
Question # 162

You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assessments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has attached cell phone 3G modem to his telephone line and workstation. He has used this cell phone 3G modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation?

A.

Reconfigure the firewall

B.

Enforce the corporate security policy

C.

Install a network-based IDS

D.

Conduct a needs analysis

Full Access
Question # 163

Peter extracts the SID list from Windows 2008 Server machine using the hacking tool "SIDExtracter". Here is the output of the SIDs:

EC0-350 question answer

From the above list identify the user account with System Administrator privileges?

A.

John

B.

Rebecca

C.

Sheela

D.

Shawn

E.

Somia

F.

Chang

G.

Micah

Full Access
Question # 164

In Trojan terminology, what is required to create the executable file chess.exe as shown below?

EC0-350 question answer

A.

Mixer

B.

Converter

C.

Wrapper

D.

Zipper

Full Access
Question # 165

Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company's largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason's client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor.

Without any proof, Jason's company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason's company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on.

Jason's supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason's supervisor opens the picture files, but cannot find anything out of the ordinary with them.

What technique has Jason most likely used?

A.

Stealth Rootkit Technique

B.

ADS Streams Technique

C.

Snow Hiding Technique

D.

Image Steganography Technique

Full Access
Question # 166

Which of the following statements would NOT be a proper definition for a Trojan Horse?

A.

An authorized program that has been designed to capture keyboard keystroke while the user is unaware of such activity being performed

B.

An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user

C.

A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user

D.

Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user

Full Access
Question # 167

Samuel is the network administrator of DataX Communications, Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder's IP address for a period of 24 hours' time after more than three unsuccessful attempts. He is confident that this rule will secure his network from hackers on the Internet.

But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall rule.

Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder's attempts.

Samuel wants to completely block hackers brute force attempts on his network.

What are the alternatives to defending against possible brute-force password attacks on his site?

A.

Enforce a password policy and use account lockouts after three wrong logon attempts even though this might lock out legit users

B.

Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the

Firewall manually

C.

Enforce complex password policy on your network so that passwords are more difficult to brute force

D.

You cannot completely block the intruders attempt if they constantly switch proxies

Full Access
Question # 168

Stephanie works as senior security analyst for a manufacturing company in Detroit. Stephanie manages network security throughout the organization. Her colleague Jason told her in confidence that he was able to see confidential corporate information posted on the external website http://www.jeansclothesman.com. He tries random URLs on the company 's website and finds confidential information leaked over the web. Jason says this happened about a month ago. Stephanie visits the said URLs, but she finds nothing. She is very concerned about this, since someone should be held accountable if there was sensitive information posted on the website.

Where can Stephanie go to see past versions and pages of a website?

A.

She should go to the web page Samspade.org to see web pages that might no longer be on the website

B.

If Stephanie navigates to Search.com; she will see old versions of the company website

C.

Stephanie can go to Archive.org to see past versions of the company website

D.

AddressPast.com would have any web pages that are no longer hosted on the company's website

Full Access
Question # 169

BankerFox is a Trojan that is designed to steal users' banking data related to certain banking entities.

When they access any website of the affected banks through the vulnerable Firefox 3.5 browser, the Trojan is activated and logs the information entered by the user. All the information entered in that website will be logged by the Trojan and transmitted to the attacker's machine using covert channel.

BankerFox does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer.

EC0-350 question answer

What is the most efficient way an attacker located in remote location to infect this banking Trojan on a victim's machine?

A.

Physical access - the attacker can simply copy a Trojan horse to a victim's hard disk infecting the machine via Firefox add-on extensions

B.

Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer

C.

Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer

D.

Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer

E.

Downloading software from a website? An attacker can offer free software, such as shareware programs and pirated mp3 files

Full Access
Question # 170

How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets.

A.

Session Hijacking

B.

Session Stealing

C.

Session Splicing

D.

Session Fragmentation

Full Access
Question # 171

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.

Maintaining the security of a Web server will usually involve the following steps:

1. Configuring, protecting, and analyzing log files

2. Backing up critical information frequently

3. Maintaining a protected authoritative copy of the organization's Web content

4. Establishing and following procedures for recovering from compromise

5. Testing and applying patches in a timely manner

6. Testing security periodically.

In which step would you engage a forensic investigator?

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

Full Access
Question # 172

How do you defend against Privilege Escalation?

A.

Use encryption to protect sensitive data

B.

Restrict the interactive logon privileges

C.

Run services as unprivileged accounts

D.

Allow security settings of IE to zero or Low

E.

Run users and applications on the least privileges

Full Access
Question # 173

This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information. Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site, but the URLs in the e-mail actually point to a false Web site.

A.

Wiresharp attack

B.

Switch and bait attack

C.

Phishing attack

D.

Man-in-the-Middle attack

Full Access
Question # 174

Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of these servers because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network.

Why will this not be possible?

A.

Firewalls cannot inspect traffic coming through port 443

B.

Firewalls can only inspect outbound traffic

C.

Firewalls cannot inspect traffic at all, they can only block or allow certain ports

D.

Firewalls cannot inspect traffic coming through port 80

Full Access
Question # 175

This attack technique is used when a Web application is vulnerable to an SQL Injection but the results of the Injection are not visible to the attacker.

A.

Unique SQL Injection

B.

Blind SQL Injection

C.

Generic SQL Injection

D.

Double SQL Injection

Full Access
Question # 176

This is an example of whois record.

EC0-350 question answer

Sometimes a company shares a little too much information on their organization through public domain records. Based on the above whois record, what can an attacker do? (Select 2 answers)

A.

Search engines like Google, Bing will expose information listed on the WHOIS record

B.

An attacker can attempt phishing and social engineering on targeted individuals using the information from WHOIS record

C.

Spammers can send unsolicited e-mails to addresses listed in the WHOIS record

D.

IRS Agents will use this information to track individuals using the WHOIS record information

Full Access
Question # 177

Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.

Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building.

How was Bill able to get Internet access without using an agency laptop?

A.

Bill spoofed the MAC address of Dell laptop

B.

Bill connected to a Rogue access point

C.

Toshiba and Dell laptops share the same hardware address

D.

Bill brute forced the Mac address ACLs

Full Access
Question # 178

How does a denial-of-service attack work?

A.

A hacker prevents a legitimate user (or group of users) from accessing a service

B.

A hacker uses every character, word, or letter he or she can think of to defeat authentication

C.

A hacker tries to decipher a password by using a system, which subsequently crashes the network

D.

A hacker attempts to imitate a legitimate user by confusing a computer or even another person

Full Access
Question # 179

What type of session hijacking attack is shown in the exhibit?

EC0-350 question answer

A.

Session Sniffing Attack

B.

Cross-site scripting Attack

C.

SQL Injection Attack

D.

Token sniffing Attack

Full Access
Question # 180

Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response?

A.

These ports are open because they do not illicit a response.

B.

He can tell that these ports are in stealth mode.

C.

If a port does not respond to an XMAS scan using NMAP, that port is closed.

D.

The scan was not performed correctly using NMAP since all ports, no matter what their state, will illicit some sort of response from an XMAS scan.

Full Access
Question # 181

LAN Manager Passwords are concatenated to 14 bytes, and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always:

A.

0xAAD3B435B51404EE

B.

0xAAD3B435B51404AA

C.

0xAAD3B435B51404BB

D.

0xAAD3B435B51404CC

Full Access
Question # 182

Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.

A.

true

B.

false

Full Access
Question # 183

NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to intercept the traffic from a victim machine to a corporate network printer. You are attempting to hijack the printer network connection from your laptop by sniffing the wire. Which port does SMB over TCP/IP use?

A.

443

B.

139

C.

179

D.

445

Full Access
Question # 184

The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence numbers of transmitted packets from host B are lower than the packet segment containing the set FIN flag.

A.

false

B.

true

Full Access
Question # 185

In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them:

FIN = 1

SYN = 2

RST = 4

PSH = 8

ACK = 16

URG = 32

ECE = 64

CWR =128

Example: To calculate SYN/ACK flag decimal value, add 2 (which is the decimal value of the SYN flag) to 16 (which is the decimal value of the ACK flag), so the result would be 18.

Based on the above calculation, what is the decimal value for XMAS scan?

A.

23

B.

24

C.

41

D.

64

Full Access
Question # 186

A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

A.

A buffer overflow attack has been attempted

B.

A buffer overflow attack has already occurred

C.

A firewall has been breached and this is logged

D.

An intrusion detection system has been triggered

E.

The system has crashed

Full Access
Question # 187

In which step Steganography fits in CEH System Hacking Cycle (SHC)

A.

Step 2: Crack the password

B.

Step 1: Enumerate users

C.

Step 3: Escalate privileges

D.

Step 4: Execute applications

E.

Step 5: Hide files

F.

Step 6: Cover your tracks

Full Access
Question # 188

Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

A.

RST flag scanning

B.

FIN flag scanning

C.

SYN flag scanning

D.

ACK flag scanning

Full Access
Question # 189

You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.

Dear valued customers,

We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code:

Antivirus code: 5014

http://www.juggyboy/virus/virus.html

Thank you for choosing us, the worldwide leader Antivirus solutions.

Mike Robertson

PDF Reader Support

Copyright Antivirus 2010 ?All rights reserved

If you want to stop receiving mail, please go to:

http://www.juggyboy.com

or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama

How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?

EC0-350 question answer

A.

Look at the website design, if it looks professional then it is a Real Anti-Virus website

B.

Connect to the site using SSL, if you are successful then the website is genuine

C.

Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site

D.

Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware

E.

Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware

Full Access
Question # 190

You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c

EC0-350 question answer

What is the hexadecimal value of NOP instruction?

A.

0x60

B.

0x80

C.

0x70

D.

0x90

Full Access
Question # 191

Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet:

EC0-350 question answer

How can you protect/fix the problem of your application as shown above?

A.

Because the counter starts with 0, we would stop when the counter is less than 200

B.

Because the counter starts with 0, we would stop when the counter is more than 200

C.

Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data

D.

Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data

Full Access
Question # 192

This TCP flag instructs the sending system to transmit all buffered data immediately.

A.

SYN

B.

RST

C.

PSH

D.

URG

E.

FIN

Full Access
Question # 193

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

http://foobar.com/index.html?id=%3Cscript%20src=%22http://baddomain.com/badscript.js%22%3E%3C/script%3E ">See foobar

What is this attack?

A.

Cross-site-scripting attack

B.

SQL Injection

C.

URL Traversal attack

D.

Buffer Overflow attack

Full Access
Question # 194

Gerald, the Systems Administrator for Hyped Enterprises, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, he discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to a proxy server in Brazil. Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. What proxy tool has Gerald's attacker used to cover their tracks?

A.

ISA proxy

B.

IAS proxy

C.

TOR proxy

D.

Cheops proxy

Full Access
Question # 195

In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.

EC0-350 question answer

A.

Token Injection Replay attacks

B.

Shoulder surfing attack

C.

Rainbow and Hash generation attack

D.

Dumpster diving attack

Full Access
Question # 196

While testing web applications, you attempt to insert the following test script into the search area on the company's web site:

<script>alert('Testing Testing Testing')</script>

Later, when you press the search button, a pop up box appears on your screen with the text "Testing Testing Testing". What vulnerability is detected in the web application here?

A.

Cross Site Scripting

B.

Password attacks

C.

A Buffer Overflow

D.

A hybrid attack

Full Access
Question # 197

Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms. What is this document called?

A.

Information Audit Policy (IAP)

B.

Information Security Policy (ISP)

C.

Penetration Testing Policy (PTP)

D.

Company Compliance Policy (CCP)

Full Access
Question # 198

Finding tools to run dictionary and brute forcing attacks against FTP and Web servers is an easy task for hackers. They use tools such as arhontus or brutus to break into remote servers.

EC0-350 question answer

A command such as this, will attack a given 10.0.0.34 FTP and Telnet servers simultaneously with a list of passwords and a single login namE. linksys. Many FTP-specific password-guessing tools are also available from major security sites.

What defensive measures will you take to protect your network from these attacks?

A.

Never leave a default password

B.

Never use a password that can be found in a dictionary

C.

Never use a password related to your hobbies, pets, relatives, or date of birth.

D.

Use a word that has more than 21 characters from a dictionary as the password

E.

Never use a password related to the hostname, domain name, or anything else that can be found with whois

Full Access
Question # 199

What type of attack is shown here?

EC0-350 question answer

A.

Bandwidth exhaust Attack

B.

Denial of Service Attack

C.

Cluster Service Attack

D.

Distributed Denial of Service Attack

Full Access
Question # 200

In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled and confirmation is required before activation. The attackers then scam to collect not one but two credit card numbers, ATM PIN number and other personal details.

EC0-350 question answer

Ignorant users usually fall prey to this scam. Which of the following statement is incorrect related to this attack?

A.

Do not reply to email messages or popup ads asking for personal or financial information

B.

Do not trust telephone numbers in e-mails or popup ads

C.

Review credit card and bank account statements regularly

D.

Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks

E.

Do not send credit card numbers, and personal or financial information via e-mail

Full Access
Question # 201

What is the default Password Hash Algorithm used by NTLMv2?

A.

MD4

B.

DES

C.

SHA-1

D.

MD5

Full Access
Question # 202

You are footprinting an organization and gathering competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated?

A.

Visit Google's search engine and view the cached copy

B.

Crawl the entire website and store them into your computer

C.

Visit Archive.org web site to retrieve the Internet archive of the company's website

D.

Visit the company's partners and customers website for this information

Full Access
Question # 203

In which location, SAM hash passwords are stored in Windows 7?

A.

c:\windows\system32\config\SAM

B.

c:\winnt\system32\machine\SAM

C.

c:\windows\etc\drivers\SAM

D.

c:\windows\config\etc\SAM

Full Access
Question # 204

You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?

A.

16 million years

B.

5 minutes

C.

23 days

D.

200 years

Full Access
Question # 205

Jess the hacker runs L0phtCrack's built-in sniffer utility that grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has access to. But Jess is not picking up hashes from the network. Why?

A.

The network protocol is configured to use SMB Signing

B.

The physical network wire is on fibre optic cable

C.

The network protocol is configured to use IPSEC

D.

L0phtCrack SMB sniffing only works through Switches and not Hubs

Full Access
Question # 206

Steve scans the network for SNMP enabled devices. Which port number Steve should scan?

A.

150

B.

161

C.

169

D.

69

Full Access
Question # 207

To what does “message repudiation” refer to what concept in the realm of email security?

A.

Message repudiation means a user can validate which mail server or servers a message was passed through.

B.

Message repudiation means a user can claim damages for a mail message that damaged their reputation.

C.

Message repudiation means a recipient can be sure that a message was sent from a particular person.

D.

Message repudiation means a recipient can be sure that a message was sent from a certain host.

E.

Message repudiation means a sender can claim they did not actually send a particular message.

Full Access
Question # 208

A XYZ security System Administrator is reviewing the network system log files.

He notes the following:

  • Network log files are at 5 MB at 12:00 noon.
  • At 14:00 hours, the log files at 3 MB.

What should he assume has happened and what should he do about the situation?

A.

He should contact the attacker’s ISP as soon as possible and have the connection disconnected.

B.

He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.

C.

He should log the file size, and archive the information, because the router crashed.

D.

He should run a file system check, because the Syslog server has a self correcting file system problem.

E.

He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place.

Full Access
Question # 209

Which of the following Nmap commands would be used to perform a stack fingerprinting?

A.

Nmap -O -p80

B.

Nmap -hU -Q

C.

Nmap -sT -p

D.

Nmap -u -o -w2

E.

Nmap -sS -0p target

Full Access
Question # 210

You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open.

Which one of the following statements is probably true?

A.

The systems have all ports open.

B.

The systems are running a host based IDS.

C.

The systems are web servers.

D.

The systems are running Windows.

Full Access
Question # 211

While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is just called "file.txt" but when he opens it, he finds the following:

EC0-350 question answer

What can he infer from this file?

A.

A picture that has been renamed with a .txt extension

B.

An encrypted file

C.

An encoded file

D.

A buffer overflow

Full Access
Question # 212

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs:

EC0-350 question answer

From the above list identify the user account with System Administrator privileges.

A.

John

B.

Rebecca

C.

Sheela

D.

Shawn

E.

Somia

F.

Chang

G.

Micah

Full Access
Question # 213

Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4.

A.

UDP is filtered by a gateway

B.

The packet TTL value is too low and cannot reach the target

C.

The host might be down

D.

The destination network might be down

E.

The TCP windows size does not match

F.

ICMP is filtered by a gateway

Full Access
Question # 214

What does an ICMP (Code 13) message normally indicates?

A.

It indicates that the destination host is unreachable

B.

It indicates to the host that the datagram which triggered the source quench message will need to be re-sent

C.

It indicates that the packet has been administratively dropped in transit

D.

It is a request to the host to cut back the rate at which it is sending traffic to the Internet destination

Full Access
Question # 215

Which of the following is considered an acceptable option when managing a risk?

A.

Reject the risk.

B.

Deny the risk.

C.

Mitigate the risk.

D.

Initiate the risk.

Full Access
Question # 216

Which Type of scan sends a packets with no flags set? Select the Answer

A.

Open Scan

B.

Null Scan

C.

Xmas Scan

D.

Half-Open Scan

Full Access
Question # 217

While performing ping scans into a target network you get a frantic call from the organization’s security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you modify your scan to prevent triggering this event in the IDS?

A.

Scan more slowly.

B.

Do not scan the broadcast IP.

C.

Spoof the source IP address.

D.

Only scan the Windows systems.

Full Access
Question # 218

Which of the following is an automated vulnerability assessment tool?

A.

Whack a Mole

B.

Nmap

C.

Nessus

D.

Kismet

E.

Jill32

Full Access
Question # 219

One of your team members has asked you to analyze the following SOA record. What is the TTL?

Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600

3600 604800 2400.

A.

200303028

B.

3600

C.

604800

D.

2400

E.

60

F.

4800

Full Access
Question # 220

Which of the following activities will NOT be considered as passive footprinting?

A.

Go through the rubbish to find out any information that might have been discarded.

B.

Search on financial site such as Yahoo Financial to identify assets.

C.

Scan the range of IP address found in the target DNS database.

D.

Perform multiples queries using a search engine.

Full Access
Question # 221

A very useful resource for passively gathering information about a target company is:

A.

Host scanning

B.

Whois search

C.

Traceroute

D.

Ping sweep

Full Access
Question # 222

What is the proper response for a NULL scan if the port is closed?

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

No response

Full Access
Question # 223

Which of the following systems would not respond correctly to an nmap XMAS scan?

A.

Windows 2000 Server running IIS 5

B.

Any Solaris version running SAMBA Server

C.

Any version of IRIX

D.

RedHat Linux 8.0 running Apache Web Server

Full Access
Question # 224

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

A.

It is a network fault and the originating machine is in a network loop

B.

It is a worm that is malfunctioning or hardcoded to scan on port 500

C.

The attacker is trying to detect machines on the network which have SSL enabled

D.

The attacker is trying to determine the type of VPN implementation and checking for IPSec

Full Access
Question # 225

What port scanning method is the most reliable but also the most detectable?

A.

Null Scanning

B.

Connect Scanning

C.

ICMP Scanning

D.

Idlescan Scanning

E.

Half Scanning

F.

Verbose Scanning

Full Access
Question # 226

While footprinting a network, what port/service should you look for to attempt a zone transfer?

A.

53 UDP

B.

53 TCP

C.

25 UDP

D.

25 TCP

E.

161 UDP

F.

22 TCP

G.

60 TCP

Full Access
Question # 227

What is the disadvantage of an automated vulnerability assessment tool?

A.

Ineffective

B.

Slow

C.

Prone to false positives

D.

Prone to false negatives

E.

Noisy

Full Access
Question # 228

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"?

A.

Overloading Port Address Translation

B.

Dynamic Port Address Translation

C.

Dynamic Network Address Translation

D.

Static Network Address Translation

Full Access
Question # 229

Which of the following commands runs snort in packet logger mode?

A.

./snort -dev -h ./log

B.

./snort -dev -l ./log

C.

./snort -dev -o ./log

D.

./snort -dev -p ./log

Full Access
Question # 230

You have initiated an active operating system fingerprinting attempt with nmap against a target system:

EC0-350 question answer

What operating system is the target host running based on the open ports shown above?

A.

Windows XP

B.

Windows 98 SE

C.

Windows NT4 Server

D.

Windows 2000 Server

Full Access
Question # 231

Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption, and enabling MAC filtering on his wireless router. Paul notices that when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24Mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. What is Paul seeing here?

A.

MAC spoofing

B.

Macof

C.

ARP spoofing

D.

DNS spoofing

Full Access
Question # 232

Look at the following SQL query.

SELECT * FROM product WHERE PCategory='computers' or 1=1--'

What will it return? Select the best answer.

A.

All computers and all 1's

B.

All computers

C.

All computers and everything else

D.

Everything except computers

Full Access
Question # 233

Which of the following is NOT a valid NetWare access level?

A.

Not Logged in

B.

Logged in

C.

Console Access

D.

Administrator

Full Access
Question # 234

How many bits encryption does SHA-1 use?

A.

64 bits

B.

128 bits

C.

160 bits

D.

256 bits

Full Access
Question # 235

To scan a host downstream from a security gateway, Firewalking:

A.

Sends a UDP-based packet that it knows will be blocked by the firewall to determine how specifically the firewall responds to such packets

B.

Uses the TTL function to send packets with a TTL value set to expire one hop past the identified security gateway

C.

Sends an ICMP ''administratively prohibited'' packet to determine if the gateway will drop the packet without comment.

D.

Assesses the security rules that relate to the target system before it sends packets to any hops on the route to the gateway

Full Access
Question # 236

Clive is conducting a pen-test and has just port scanned a system on the network. He has identified the operating system as Linux and been able to elicit responses from ports 23, 25 and 53. He infers port 23 as running Telnet service, port 25 as running SMTP service and port 53 as running DNS service. The client confirms these findings and attests to the current availability of the services. When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typing other commands, he sees only blank spaces or underscores symbols on the screen. What are you most likely to infer from this?

A.

The services are protected by TCP wrappers

B.

There is a honeypot running on the scanned machine

C.

An attacker has replaced the services with trojaned ones

D.

This indicates that the telnet and SMTP server have crashed

Full Access
Question # 237

If you receive a RST packet while doing an ACK scan, it indicates that the port is open.(True/False).

A.

True

B.

False

Full Access
Question # 238

In an attempt to secure his 802.11b wireless network, Ulf decides to use a strategic antenna positioning. He places the antenna for the access points near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the building’s center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Ulf figures that with this and his placement of antennas, his wireless network will be safe from attack.

Which of the following statements is true?

A.

With the 300 feet limit of a wireless signal, Ulf’s network is safe.

B.

Wireless signals can be detected from miles away, Ulf’s network is not safe.

C.

Ulf’s network will be safe but only of he doesn’t switch to 802.11a.

D.

Ulf’s network will not be safe until he also enables WEP.

Full Access
Question # 239

If you come across a sheepdip machine at your client’s site, what should you do?

A.

A sheepdip computer is used only for virus-checking.

B.

A sheepdip computer is another name for a honeypot

C.

A sheepdip coordinates several honeypots.

D.

A sheepdip computers defers a denial of service attack.

Full Access
Question # 240

In which of the following should be performed first in any penetration test?

A.

System identification

B.

Intrusion Detection System testing

C.

Passive information gathering

D.

Firewall testing

Full Access
Question # 241

What makes web application vulnerabilities so aggravating? (Choose two)

A.

They can be launched through an authorized port.

B.

A firewall will not stop them.

C.

They exist only on the Linux platform.

D.

They are detectable by most leading antivirus software.

Full Access
Question # 242

Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well.

Which of the choices below indicate the other features offered by Snort?

A.

IDS, Packet Logger, Sniffer

B.

IDS, Firewall, Sniffer

C.

IDS, Sniffer, Proxy

D.

IDS, Sniffer, content inspector

Full Access
Question # 243

You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe.

What caused this?

EC0-350 question answer

A.

The Morris worm

B.

The PIF virus

C.

Trinoo

D.

Nimda

E.

Code Red

F.

Ping of Death

Full Access
Question # 244

You may be able to identify the IP addresses and machine names for the firewall, and the names of internal mail servers by:

A.

Sending a mail message to a valid address on the target network, and examining the header information generated by the IMAP servers

B.

Examining the SMTP header information generated by using the –mx command parameter of DIG

C.

Examining the SMTP header information generated in response to an e-mail message sent to an invalid address

D.

Sending a mail message to an invalid address on the target network, and examining the header information generated by the POP servers

Full Access
Question # 245

Which of the following is one of the key features found in a worm but not seen in a virus?

A.

The payload is very small, usually below 800 bytes.

B.

It is self replicating without need for user intervention.

C.

It does not have the ability to propagate on its own.

D.

All of them cannot be detected by virus scanners.

Full Access
Question # 246

There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? Select the best answers.

A.

Emulators of vulnerable programs

B.

More likely to be penetrated

C.

Easier to deploy and maintain

D.

Tend to be used for production

E.

More detectable

F.

Tend to be used for research

Full Access
Question # 247

What is the key advantage of Session Hijacking?

A.

It can be easily done and does not require sophisticated skills.

B.

You can take advantage of an authenticated connection.

C.

You can successfully predict the sequence number generation.

D.

You cannot be traced in case the hijack is detected.

Full Access
Question # 248

In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID. He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network. Unfortunately unauthorized users are still able to connect to the wireless network.

Why do you think this is possible?

A.

Bob forgot to turn off DHCP.

B.

All access points are shipped with a default SSID.

C.

The SSID is still sent inside both client and AP packets.

D.

Bob’s solution only works in ad-hoc mode.

Full Access
Question # 249

There is some dispute between two network administrators at your company. Your boss asks you to come and meet with the administrators to set the record straight. Which of these are true about PKI and encryption?

Select the best answers.

A.

PKI provides data with encryption, compression, and restorability.

B.

Public-key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman.

C.

When it comes to eCommerce, as long as you have authenticity, and authenticity, you do not need encryption.

D.

RSA is a type of encryption.

Full Access
Question # 250

Which of the following best describes session key creation in SSL?

A.

It is created by the server after verifying theuser's identity

B.

It is created by the server upon connection by the client

C.

It is created by the client from the server's public key

D.

It is created by the client after verifying the server's identity

Full Access
Question # 251

802.11b is considered a ____________ protocol.

A.

Connectionless

B.

Secure

C.

Unsecure

D.

Token ring based

E.

Unreliable

Full Access
Question # 252

After studying the following log entries, how many user IDs can you identify that the attacker has tampered with?

1. mkdir -p /etc/X11/applnk/Internet/.etc

2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd

3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd

4. touch -acmr /etc /etc/X11/applnk/Internet/.etc

5. passwd nobody -d

6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash

7. passwd dns -d

8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd

9. touch -acmr /etc/X11/applnk/Internet/.etc /etc

A.

IUSR_

B.

acmr, dns

C.

nobody, dns

D.

nobody, IUSR_

Full Access
Question # 253

Jacob would like your advice on using a wireless hacking tool that can save him time and get him better results with lesser packets. You would like to recommend a tool that uses KoreK's implementation. Which tool would you recommend from the list below?

A.

Kismet

B.

Shmoo

C.

Aircrack

D.

John the Ripper

Full Access
Question # 254

Jim’s organization has just completed a major Linux roll out and now all of the organization’s systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ.

Which built-in functionality of Linux can achieve this?

A.

IP Tables

B.

IP Chains

C.

IP Sniffer

D.

IP ICMP

Full Access
Question # 255

On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner?

A.

Use "Is"

B.

Use "lsof"

C.

Use "echo"

D.

Use "netstat"

Full Access
Question # 256

What is Hunt used for?

A.

Hunt is used to footprint networks

B.

Hunt is used to sniff traffic

C.

Hunt is used to hack web servers

D.

Hunt is used to intercept traffic i.e. man-in-the-middle traffic

E.

Hunt is used for password cracking

Full Access
Question # 257

This packet was taken from a packet sniffer that monitors a Web server.

EC0-350 question answer

This packet was originally 1514 bytes long, but only the first 512 bytes are shown here. This is the standard hexdump representation of a network packet, before being decoded. A hexdump has three columns: the offset of each line, the hexadecimal data, and the ASCII equivalent. This packet contains a 14-byte Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header ending in two line-feeds (0D 0A 0D 0A) and then the data. By examining the packet identify the name and version of the Web server?

A.

Apache 1.2

B.

IIS 4.0

C.

IIS 5.0

D.

Linux WServer 2.3

Full Access
Question # 258

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold.

What is the most common cause of buffer overflow in software today?

A.

Bad permissions on files.

B.

High bandwidth and large number of users.

C.

Usage of non standard programming languages.

D.

Bad quality assurance on software produced.

Full Access
Question # 259

What does black box testing mean?

A.

You have full knowledge of the environment

B.

You have no knowledge of the environment

C.

You have partial knowledge of the environment

Full Access
Question # 260

Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler?

Select the best answer.

A.

GPSDrive

B.

GPSMap

C.

WinPcap

D.

Microsoft Mappoint

Full Access
Question # 261

Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload?

A.

Defrag

B.

Tcpfrag

C.

Tcpdump

D.

Fragroute

Full Access
Question # 262

Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web application security, what do you think Jane has changed?

A.

An integer variable

B.

A 'hidden' price value

C.

A 'hidden' form field value

D.

A page cannot be changed locally; it can only be served by a web server

Full Access
Question # 263

Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above?

A.

Smurf

B.

Bubonic

C.

SYN Flood

D.

Ping of Death

Full Access