aiotestking uk

312-50 Exam Questions - Online Test


312-50 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. While attempting to discover the remote operating system on the target computer, you receive the following results from an nmap scan: 

Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/ <http://www.insecure.org/nmap/> ) Interesting ports on 172.121.12.222: (The 1592 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 25/tcp open smtp 53/tcp closed domain 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match to reliably guess the OS. Nmap run completed -- 1 IP address (1 host up) scanned in 277.483 seconds 

What should be your next step to identify the OS? 

A. Perform a firewalk with that system as the target IP 

B. Perform a tcp traceroute to the system using port 53 

C. Run an nmap scan with the -v-v option to give a better output 

D. Connect to the active services and review the banner information 

Answer: D

Explanation: Most people don’t care about changing the banners presented by applications listening to open ports and therefore you should get fairly accurate information when grabbing banners from open ports with, for example, a telnet application. 

Q2. Exhibit: * Missing* 

Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet? 

A. Port 1890 (Net-Devil Trojan) 

B. Port 1786 (Net-Devil Trojan) 

C. Port 1909 (Net-Devil Trojan) 

D. Port 6667 (Net-Devil Trojan) 

Answer: D

Explanation: From trace, 0x1A0B is 6667, IRC Relay Chat, which is one port used. Other ports are in the 900's. 

Q3. In which step Steganography fits in CEH System Hacking Cycle (SHC) 

A. Step 2: Crack the password 

B. Step 1: Enumerate users 

C. Step 3: Escalate privileges 

D. Step 4: Execute applications 

E. Step 5: Hide files 

F. Step 6: Cover your tracks 

Answer: ACDEF

Q4. Liza has forgotten her password to an online bookstore. The web application asks her to key in her email so that they can send her the password. Liza enters her email liza@yahoo.com'. The application displays server error. What is wrong with the web application? 

A. The email is not valid 

B. User input is not sanitized 

C. The web server may be down 

D. The ISP connection is not reliable 

Answer: B

Explanation: All input from web browsers, such as user data from HTML forms and cookies, must be stripped of special characters and HTML tags as described in the following CERT advisories: http://www.cert.org/advisories/CA-1997-25.html http://www.cert.org/advisories/CA-2000-02.html 

Q5. During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? 

A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. 

B. Send your attack traffic and look for it to be dropped by the IDS. 

C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. 

D. The sniffing interface cannot be detected. 

Answer: D

Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected. 

Q6. While reviewing the result of scanning run against a target network you come across the following: 

Which among the following can be used to get this output? 

A. A Bo2k system query. 

B. nmap protocol scan 

C. A sniffer 

D. An SNMP walk 

Answer: D

Explanation: SNMP lets you "read" information from a device. You make a query of the server (generally known as the "agent"). The agent gathers the information from the host system and returns the answer to your SNMP client. It's like having a single interface for all your informative Unix commands. Output like system.sysContact.0 is called a MIB. 

Q7. You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of which protocols are being used. You need to discover as many different protocols as possible. 

Which kind of scan would you use to achieve this? (Choose the best answer) 

A. Nessus scan with TCP based pings. 

B. Nmap scan with the –sP (Ping scan) switch. 

C. Netcat scan with the –u –e switches. 

D. Nmap with the –sO (Raw IP packets) switch. 

Answer: D

Explanation: Running Nmap with the –sO switch will do a IP Protocol Scan. The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified. 

Q8. In which location, SAM hash passwords are stored in Windows 7? 

A. c:\windows\system32\config\SAM 

B. c:\winnt\system32\machine\SAM 

C. c:\windows\etc\drivers\SAM 

D. c:\windows\config\etc\SAM 

Answer: A

Q9. You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why? 

A. A firewall is blocking port 23 

B. You cannot spoof + TCP 

C. You need an automated telnet tool 

D. The OS does not reply to telnet even if port 23 is open 

Answer: A

Explanation: The question is not telling you what state the port is being reported by the scanning utility, if the program used to conduct this is nmap, nmap will show you one of three states – “open”, “closed”, or “filtered” a port can be in an “open” state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for bsd). C and D to make any sense for this question, their bogus, and B, “You cannot spoof + TCP”, well you can spoof + TCP, so we strike that out. 

Q10. Vulnerability mapping occurs after which phase of a penetration test? 

A. Host scanning 

B. Passive information gathering 

C. Analysis of host scanning 

D. Network level discovery 

Answer: C

Explanation: The order should be Passive information gathering, Network level discovery, Host scanning and Analysis of host scanning.