Shortcuts To 312-50(381 to 390)

♥♥ 2018 NEW RECOMMEND ♥♥

Free VCE & PDF File for EC-Council 312-50 Real Exam (Full Version!)

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 312-50 Exam Dumps (PDF & VCE):
Available on:

Proper study guides for Renew EC-Council Ethical Hacking and Countermeasures (CEHv6) certified begins with EC-Council 312-50 preparation products which designed to deliver the Highest Quality 312-50 questions by making you pass the 312-50 test at your first time. Try the free 312-50 demo right now.

Q381. Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload? 

A. Defrag 

B. Tcpfrag 

C. Tcpdump 

D. Fragroute 

Answer: D

Explanation: fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour. 

Q382. Gerald, the systems administrator for Hyped Enterprise, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, his discovers numerous remote tools were installed that no one claims to have knowledge of in his department. 

Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to proxy server in Brazil. 

Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. 

What tool Geralds’s attacker used to cover their tracks? 

A. Tor 



D. Cheops 

Answer: A

Explanation: Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). 

Q383. While performing ping scans into a target network you get a frantic call from the organization’s security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you modify your scan to prevent triggering this event in the IDS? 

A. Scan more slowly. 

B. Do not scan the broadcast IP. 

C. Spoof the source IP address. 

D. Only scan the Windows systems. 

Answer: B

Explanation: Scanning the broadcast address makes the scan target all IP addresses on that subnet at the same time. 

Q384. Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of this server because of the potential for financial loss. Bob has asked his company’s firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. 

Why will this not be possible? 

A. Firewalls can’t inspect traffic coming through port 443 

B. Firewalls can only inspect outbound traffic 

C. Firewalls can’t inspect traffic coming through port 80 

D. Firewalls can’t inspect traffic at all, they can only block or allow certain ports 


Explanation: In order to really inspect traffic and traffic patterns you need an IDS. 

Q385. One of the effective DoS/DDoS countermeasures is 'Throttling'. Which statement correctly defines this term? 

A. Set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for the server to process 

B. Providers can increase the bandwidth on critical connections to prevent them from going down in the event of an attack 

C. Replicating servers that can provide additional failsafe protection 

D. Load balance each server in a multiple-server architecture 

Answer: A

Q386. Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS? 

A. He can use a shellcode that will perform a reverse telnet back to his machine 

B. He can use a dynamic return address to overwrite the correct value in the target machine computer memory 

C. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice 

D. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS 

Answer: D

Explanation: ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature based intrusion detection. All network based remote buffer overflow exploits have similarities in how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions the attacker wants to execute on the target machine. These eggs are generally interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of the egg in any given buffer overflow exploit. This randomization effectively changes the content or 'signature' of the exploit without changing the functionality of the exploit. 

Q387. Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data? 

A. Spoof Attack 

B. Smurf Attack 

C. Man in the Middle Attack 

D. Trojan Horse Attack 

E. Back Orifice Attack 

Answer: DE

Explanation: To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack. 

Q388. A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system. 

The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software. 

What is Rogue security software? 

A. A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites 

B. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

C. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

D. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

E. Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites 

F. This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker 

Answer: BCD

Q389. What is Cygwin? 

A. Cygwin is a free C++ compiler that runs on Windows 

B. Cygwin is a free Unix subsystem that runs on top of Windows 

C. Cygwin is a free Windows subsystem that runs on top of Linux 

D. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment 


Explanation: Cygwin is a Linux-like environment for Windows. It consists of two parts: 

A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality. 

A collection of tools which provide Linux look and feel. 

The Cygwin DLL works with all non-beta, non "release candidate", ix86 32 bit versions of Windows since Windows 95, with the exception of Windows CE. 

Q390. Which of the following tools are used for enumeration? (Choose three.) 

A. SolarWinds 


C. Cheops 


E. DumpSec 

Answer: BDE

Explanation: USER2SID, SID2USER, and DumpSec are three of the tools used for system enumeration. Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output. 

Click to learn more regarding