EC-Council 312-50v13 Certified Ethical Hacker Exam (CEHv13) Online Training

Question #11

Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?

A . 113
B . 69
C . 123
D . 161

Reveal Solution Hide Solution

Question #12

Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?

A . Nikto
B . John the Ripper
C . Dsniff
D . Snort

Reveal Solution Hide Solution

Question #13

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.

What is the most likely cause?

A . The network devices are not all synchronized.
B . Proper chain of custody was not observed while collecting the logs.
C . The attacker altered or erased events from the logs.
D . The security breach was a false positive.

Reveal Solution Hide Solution

Question #14

During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded.

What type of firewall is inspecting outbound traffic?

A . Circuit
B . Stateful
C . Application
D . Packet Filtering

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

https://en.wikipedia.org/wiki/Internet_Relay_Chat

Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The chat process works on a client/server networking model. IRC clients are computer programs that users can install on their system or web-based applications running either locally in the browser or on a third-party server. These clients communicate with chat servers to transfer messages to other clients.

IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running the service on this port requires running it with root-level permissions, which is inadvisable. As a result, the well-known port for IRC is 6667, a high-number port that does not require elevated privileges. However, an IRC server can also be configured to run on other ports as well.

You can’t tell if an IRC server is designed to be malicious solely based on port number. Still, if you see an IRC server running on port a WKP such as 80, 8080, 53, 443, it’s almost always going to be malicious; the only real reason for IRCD to be running on port 80 is to try to evade firewalls.

https://en.wikipedia.org/wiki/Application_firewall

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the OSI model’s application layer, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based.

Application layer filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Addresses or ports. It can also use information spanning across multiple connections for any given host.

Network-based application firewalls

Network-based application firewalls operate at the application layer of a TCP/IP stack. They can understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non-standard port or detect if an allowed protocol is being abused.

Host-based application firewalls

A host-based application firewall monitors application system calls or other general system communication. This gives more granularity and control but is limited to only protecting the host it is running on. Control is applied by filtering on a per-process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.

Question #15

By using a smart card and pin, you are using a two-factor authentication that satisfies

A . Something you are and something you remember
B . Something you have and something you know
C . Something you know and something you are
D . Something you have and something you are

Reveal Solution Hide Solution

Question #16

“……..is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on

the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hot-spot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.”

Fill in the blank with appropriate choice.

A . Evil Twin Attack
B . Sinkhole Attack
C . Collision Attack
D . Signal Jamming Attack

Reveal Solution Hide Solution

Question #17

What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?

A . Residual risk
B . Impact risk
C . Deferred risk
D . Inherent risk

Reveal Solution Hide Solution

Question #18

Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets to the target computer, making it very difficult for an IDS to detect the attack signatures.

Which tool can be used to perform session splicing attacks?

A . tcpsplice
B . Burp
C . Hydra
D . Whisker

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

«Many IDS reassemble communication streams; hence, if a packet is not received within a reasonable period, many IDS stop reassembling and handling that stream. If the application under attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing attack. Attackers can use tools such as Nessus for session splicing attacks.»

Did you know that the EC-Council exam shows how well you know their official book? So, there is no "Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I will assume the author of the question found it while copying Wikipedia.

https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The ‘whisker’ evasion tool calls crafting packets with small payloads ‘session splicing’.

By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer. NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you unverified information. According to the official tutorials, the correct answer is Nessus, but if you know anything about Wisker, please write in the QA section. Maybe this question will be updated soon, but I’m not sure about that.

Question #19

You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly.

What is the best Nmap command you will use?

A . nmap -T4 -q 10.10.0.0/24
B . nmap -T4 -F 10.10.0.0/24
C . nmap -T4 -r 10.10.1.0/24
D . nmap -T4 -O 10.10.0.0/24

Reveal Solution Hide Solution

Question #20

Which of the following is the BEST way to defend against network sniffing?

A . Using encryption protocols to secure network communications
B . Register all machines MAC Address in a Centralized Database
C . Use Static IP Address
D . Restrict Physical Access to Server Rooms hosting Critical Servers

Reveal Solution Hide Solution