ECCouncil-312-50v12.pdf

Full Transcript

ECCouncil

312-50v12

Certified Ethical
Hacker Exam
(CEHv12)
Version: 6.3

[ Total Questions: 572]
Web: www.dumpspedia.com

Email: [email protected]
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at [email protected]

Support
If you have any questions about our product, please provide the following items:

exam code
screenshot of the question
login id/email

please contact us at [email protected] and our technical experts will provide support within 24 hours.

Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Braindumps Questions ECCouncil - 312-50v12

Exam Topic Breakdown
Exam Topic Number of Questions
Topic 1 : Exam Pool A 141
Topic 2 : Exam Pool B 182
Topic 3 : Exam Pool C 249
TOTAL 572

100% Success with DumpsPedia.com 1 of 368
Braindumps Questions ECCouncil - 312-50v12

Topic 1, Exam Pool A
Question #:1 - (Exam Topic 1)

User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI
to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does
the encryption and decryption of the message take place?

A. Application

B. Transport

C. Session

D. Presentation

Answer: D

Explanation
https://en.wikipedia.org/wiki/Presentation_layer

In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data
translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the
formatting and delivery of information to the application layer for further processing or display.

Encryption is typically done at this level too, although it can be done on the application, session, transport, or
network layers, each having its own advantages and disadvantages. Decryption is also handled at the
presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the
data as it is received.

Question #:2 - (Exam Topic 1)

If a tester is attempting to ping a target that exists but receives no response or a response that states the
destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option
could the tester use to get a response from a host using TCP?

A. Traceroute

B. Hping

C. TCP ping

D. Broadcast ping

Answer: B

Explanation

100% Success with DumpsPedia.com 2 of 368
Braindumps Questions ECCouncil - 312-50v12

https://tools.kali.org/information-gathering/hping3

http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf

Question #:3 - (Exam Topic 1)

CompanyXYZ has asked you to assess the security of their perimeter email gateway. From your office in New
York, you craft a specially formatted email message and send it across the Internet to an employee of
CompanyXYZ. The employee of CompanyXYZ is aware of your test. Your email message looks like this:

From: [email protected]

To: [email protected] Subject: Test message

Date: 4/3/2017 14:37

The employee of CompanyXYZ receives your email message.

This proves that CompanyXYZ’s email gateway doesn’t prevent what?

A. Email Masquerading

B. Email Harvesting

C. Email Phishing

D. Email Spoofing

Answer: D

Explanation
Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the
email originated from someone or somewhere other than the intended source. Because core email protocols do
not have a built-in method of authentication, it is common for spam and phishing emails to use said spoofing
to trick the recipient into trusting the origin of the message.

The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.
Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more
malicious varieties can cause significant problems and sometimes pose a real security threat.

Question #:4 - (Exam Topic 1)

When you are getting information about a web server, it is very important to know the HTTP Methods (GET,
POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and
DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect
all these methods (GET, POST, HEAD, DELETE, PUT, TRACE) using NMAP script engine. What Nmap
script will help you with this task?

A.

100% Success with DumpsPedia.com 3 of 368
Braindumps Questions ECCouncil - 312-50v12

A. http-methods

B. http enum

C. http-headers

D. http-git

Answer: A

Question #:5 - (Exam Topic 1)

Suppose your company has just passed a security risk assessment exercise. The results display that the risk of
the breach in the main company application is 50%. Security staff has taken some measures and

implemented the necessary controls. After that, another security risk assessment was performed showing that
risk has decreased to 10%. The risk threshold for the application is 20%. Which of the following risk decisions
will be the best for the project in terms of its successful continuation with the most business profit?

A. Accept the risk

B. Introduce more controls to bring risk to 0%

C. Mitigate the risk

D. Avoid the risk

Answer: A

Explanation
Risk Mitigation

Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation
strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important
to develop a strategy that closely relates to and matches your company’s profile.

A picture containing diagram Description automatically generated

100% Success with DumpsPedia.com 4 of 368
Braindumps Questions ECCouncil - 312-50v12

Risk Acceptance

Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a
common option when the cost of other risk management options such as avoidance or limitation may outweigh
the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not
have a high possibility of occurring will use the risk acceptance strategy.

Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk
whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation
options.

100% Success with DumpsPedia.com 5 of 368
Braindumps Questions ECCouncil - 312-50v12

Risk Limitation

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a
company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk
avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive
may fail and avoiding a long period of failure by having backups.

Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous
companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial
for a company if a transferred risk is not a core competency of that company. It can also be used so a company
can focus more on its core competencies.

Question #:6 - (Exam Topic 1)

One of your team members has asked you to analyze the following SOA record.

What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

A. 200303028

B. 3600

C. 604800

D. 2400

E. 60

F. 4800

Answer: D

Question #:7 - (Exam Topic 1)

Under what conditions does a secondary name server request a zone transfer from a primary name server?

A. When a primary SOA is higher that a secondary SOA

B. When a secondary SOA is higher that a primary SOA

C. When a primary name server has had its service restarted

D. When a secondary name server has had its service restarted

E. When the TTL falls to zero

100% Success with DumpsPedia.com 6 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: A

Question #:8 - (Exam Topic 1)

Which of the following programs is usually targeted at Microsoft Office products?

A. Polymorphic virus

B. Multipart virus

C. Macro virus

D. Stealth virus

Answer: C

Explanation
A macro virus is a virus that is written in a macro language: a programming language which is embedded
inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as
Microsoft Office, allow macro programs to be embedded in documents such that the macros are run
automatically when the document is opened, and this provides a distinct mechanism by which malicious
computer instructions can spread. (Wikipedia)

NB: The virus Melissa is a well-known macro virus we could find attached to word documents.

Question #:9 - (Exam Topic 1)

Which of the following is a component of a risk assessment?

A. Administrative safeguards

B. Physical security

C. DMZ

D. Logical interface

Answer: A

Question #:10 - (Exam Topic 1)

Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets
to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be
used to perform session splicing attacks?

A.

100% Success with DumpsPedia.com 7 of 368
Braindumps Questions ECCouncil - 312-50v12

A. tcpsplice

B. Burp

C. Hydra

D. Whisker

Answer: D

Explanation
«Many IDS reassemble communication streams; hence, if a packet is not received within a reasonable period,
many IDS stop reassembling and handling that stream. If the application under attack keeps a session active
for a longer time than that spent by the IDS on reassembling it, the IDS will stop. As a result, any session after
the IDS stops reassembling the sessions will be susceptible to malicious data theft by attackers. The IDS will
not log any attack attempt after a successful splicing attack. Attackers can use tools such as Nessus for session
splicing attacks.»

Did you know that the EC-Council exam shows how well you know their official book? So, there is no
"Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for performing a
session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I will assume the author
of the question found it while copying Wikipedia.

https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble
the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an
adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets
with small payloads 'session splicing'.

By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can
be further modified in order to complicate reassembly and detection. One evasion technique is to pause
between sending parts of the attack, hoping that the IDS will time out before the target computer does. A
second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the
target computer.

NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you
unverified information. According to the official tutorials, the correct answer is Nessus, but if you know
anything about Wisker, please write in the QA section. Maybe this question will be updated soon, but I'm not
sure about that.

Question #:11 - (Exam Topic 1)

Which of the following tools can be used to perform a zone transfer?

A. NSLookup

B. Finger

C.

100% Success with DumpsPedia.com 8 of 368
Braindumps Questions ECCouncil - 312-50v12

C. Dig

D. Sam Spade

E. Host

F. Netcat

G. Neotrace

Answer: A C D E

Question #:12 - (Exam Topic 1)

Scenario1:

1.Victim opens the attacker's web site.

2.Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make

$1000 in a day?'.

3.Victim clicks to the interesting and attractive content URL.

4.Attacker creates a transparent 'iframe' in front of the URL which victim attempts to click, so victim thinks
that he/she clicks to the 'Do you want to make $1000 in a day?' URL but actually he/she clicks to the content
or URL that exists in the transparent 'iframe' which is setup by the attacker.

What is the name of the attack which is mentioned in the scenario?

A. Session Fixation

B. HTML Injection

C. HTTP Parameter Pollution

D. Clickjacking Attack

Answer: D

Explanation
https://en.wikipedia.org/wiki/Clickjacking

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as
another element. This can cause users to unwittingly download malware, visit malicious web pages, provide
credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on

100% Success with DumpsPedia.com 9 of 368
Braindumps Questions ECCouncil - 312-50v12

top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking
an invisible element in the additional page transposed on top of it.

Question #:13 - (Exam Topic 1)

Which regulation defines security and privacy controls for Federal information systems and organizations?

A. HIPAA

B. EU Safe Harbor

C. PCI-DSS

D. NIST-800-53

Answer: D

Explanation
NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal
information systems except those related to national security. It is published by the National Institute of
Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce.
NIST develops and issues standards, guidelines, and other publications to assist federal agencies in
implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with
managing cost-effective programs to protect their information and information systems.

Question #:14 - (Exam Topic 1)

The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the
Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive.
Which of the following is being described?

A. Multi-cast mode

B. Promiscuous mode

C. WEM

D. Port forwarding

Answer: B

Question #:15 - (Exam Topic 1)

PGP, SSL, and IKE are all examples of which type of cryptography?

A. Digest

100% Success with DumpsPedia.com 10 of 368
Braindumps Questions ECCouncil - 312-50v12

B. Secret Key

C. Public Key

D. Hash Algorithm

Answer: C

Question #:16 - (Exam Topic 1)

A company’s policy requires employees to perform file transfers using protocols which encrypt traffic. You
suspect some employees are still performing file transfers using unencrypted protocols because the employees
do not like changes. You have positioned a network sniffer to capture traffic from the laptops used by
employees in the data ingest department. Using Wireshark to examine the captured traffic, which command
can be used as display filter to find unencrypted file transfers?

A. tcp.port = = 21

B. tcp.port = 23

C. tcp.port = = 21 | | tcp.port = =22

D. tcp.port ! = 21

Answer: A

Question #:17 - (Exam Topic 1)

What kind of detection techniques is being used in antivirus software that identifies malware by collecting data
from multiple protected systems and instead of analyzing files locally it’s made on the provider’s
environment?

A. Behavioral based

B. Heuristics based

C. Honeypot based

D. Cloud based

Answer: D

Question #:18 - (Exam Topic 1)

100% Success with DumpsPedia.com 11 of 368
Braindumps Questions ECCouncil - 312-50v12

What is the purpose of a demilitarized zone on a network?

A. To scan all traffic coming through the DMZ to the internal network

B. To only provide direct access to the nodes within the DMZ and protect the network behind it

C. To provide a place to put the honeypot

D. To contain the network devices you wish to protect

Answer: B

Question #:19 - (Exam Topic 1)

What is the proper response for a NULL scan if the port is closed?

A. SYN

B. ACK

C. FIN

D. PSH

E. RST

F. No response

Answer: E

Question #:20 - (Exam Topic 1)

You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all
machines in the same network quickly.

What is the best Nmap command you will use?

A. nmap -T4 -q 10.10.0.0/24

B. nmap -T4 -F 10.10.0.0/24

C. nmap -T4 -r 10.10.1.0/24

D. nmap -T4 -O 10.10.0.0/24

Answer: B

100% Success with DumpsPedia.com 12 of 368
Braindumps Questions ECCouncil - 312-50v12

Explanation
https://nmap.org/book/man-port-specification.html

NOTE: In my opinion, this is an absolutely wrong statement of the question. But you may come across a
question with a similar wording on the exam. What does "fast" mean? If we want to increase the speed and
intensity of the scan we can select the mode using the -T flag (0/1/2/3/4/5). At high -T values, we will sacrifice
stealth and gain speed, but we will not limit functionality.

«nmap -T4 -F 10.10.0.0/24» This option is "correct" because of the -F flag.

-F (Fast (limited port) scan)

Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000
ports for each scanned protocol. With -F, this is reduced to 100.

Technically, scanning will be faster, but just because we have reduced the number of ports by 10 times, we are
just doing 10 times less work, not faster.

Question #:21 - (Exam Topic 1)

Which of the following statements about a zone transfer is correct? (Choose three.)

A. A zone transfer is accomplished with the DNS

B. A zone transfer is accomplished with the nslookup service

C. A zone transfer passes all zone information that a DNS server maintains

D. A zone transfer passes all zone information that a nslookup server maintains

E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections

F. Zone transfers cannot occur on the Internet

Answer: A C E

Question #:22 - (Exam Topic 1)

What is the following command used for?

net use \targetipc$ "" /u:""

A. Grabbing the etc/passwd file

B. Grabbing the SAM

C. Connecting to a Linux computer through Samba.

100% Success with DumpsPedia.com 13 of 368
Braindumps Questions ECCouncil - 312-50v12

D. This command is used to connect as a null session

E. Enumeration of Cisco routers

Answer: D

Question #:23 - (Exam Topic 1)

An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a
malicious applet in all HTTP connections.

When users accessed any page, the applet ran and exploited many machines. Which one of the following tools
the hacker probably used to inject HTML code?

A. Wireshark

B. Ettercap

C. Aircrack-ng

D. Tcpdump

Answer: B

Question #:24 - (Exam Topic 1)

An attacker with access to the inside network of a small company launches a successful STP manipulation
attack. What will he do next?

A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.

B. He will activate OSPF on the spoofed root bridge.

C. He will repeat this action so that it escalates to a DoS attack.

D. He will repeat the same attack against all L2 switches of the network.

Answer: A

Question #:25 - (Exam Topic 1)

A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access
point. The computer is able to transfer files locally to other machines, but cannot successfully reach the
Internet. When the technician examines the IP address and default gateway they are both on the

100% Success with DumpsPedia.com 14 of 368
Braindumps Questions ECCouncil - 312-50v12

192.168.1.0/24. Which of the following has occurred?

A. The computer is not using a private IP address.

B. The gateway is not routing to a public IP address.

C. The gateway and the computer are not on the same network.

D. The computer is using an invalid IP address.

Answer: B

Explanation
https://en.wikipedia.org/wiki/Private_network

In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4
and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area
networks (LANs) in residential, office, and enterprise environments.

Private network addresses are not allocated to any specific organization. Anyone may use these addresses
without approval from regional or local Internet registries. Private IP address spaces were originally defined to
assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address
cannot be routed through the public Internet.

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to
reserve the following IPv4 address ranges for private networks:

· 10.0.0.0 – 10.255.255.255

· 172.16.0.0 – 172.31.255.255

· 192.168.0.0 – 192.168.255.255

Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no
measures are taken, are isolated from the Internet. However, several technologies allow such machines to
connect to the Internet.

· Mediation servers like IRC, Usenet, SMTP and Proxy server

· Network address translation (NAT)

· Tunneling protocol

NOTE: So, the problem is just one of these technologies.

Question #:26 - (Exam Topic 1)

What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?

100% Success with DumpsPedia.com 15 of 368
Braindumps Questions ECCouncil - 312-50v12

A. Residual risk

B. Impact risk

C. Deferred risk

D. Inherent risk

Answer: A

Explanation
https://en.wikipedia.org/wiki/Residual_risk

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although
being abreast with science, still conceives these dangers, even if all theoretically possible safety measures
would be applied (scientifically conceivable measures); in other words, the amount of risk left over after
natural or inherent risks have been reduced by risk controls.

· Residual risk = (Inherent risk) – (impact of risk controls)

Question #:27 - (Exam Topic 1)

Why would you consider sending an email to an address that you know does not exist within the company you
are performing a Penetration Test for?

A. To determine who is the holder of the root account

B. To perform a DoS

C. To create needless SPAM

D. To illicit a response back that will reveal information about email servers and how they treat
undeliverable mail

E. To test for virus protection

Answer: D

Question #:28 - (Exam Topic 1)

Which DNS resource record can indicate how long any "DNS poisoning" could last?

A. MX

B. SOA

C.

100% Success with DumpsPedia.com 16 of 368
Braindumps Questions ECCouncil - 312-50v12

C. NS

D. TIMEOUT

Answer: B

Question #:29 - (Exam Topic 1)

Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place.
He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is
familiar with password weaknesses and key loggers.

Which of the following options best represents the means that Bob can adopt to retrieve passwords from his
clients hosts and servers?

A. Hardware, Software, and Sniffing.

B. Hardware and Software Keyloggers.

C. Passwords are always best obtained using Hardware key loggers.

D. Software only, they are the most effective.

Answer: A

Question #:30 - (Exam Topic 1)

Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end
encryption of the connection?

A. SFTP

B. Ipsec

C. SSL

D. FTPS

Answer: B

Explanation
https://en.wikipedia.org/wiki/IPsec

Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets
of data to provide secure encrypted communication between two computers over an Internet Protocol network.
It is used in virtual private networks (VPNs).

100% Success with DumpsPedia.com 17 of 368
Braindumps Questions ECCouncil - 312-50v12

IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session
and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of
hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway
and a host (network-to-host). IPsec uses cryptographic security services to protect communications over
Internet Protocol (IP) networks. It supports network-level peer authentication, data-origin authentication, data
integrity, data confidentiality (encryption), and replay protection.

The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is
a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some other Internet
security systems in widespread use operate above layer 3, such as Transport Layer Security (TLS) that
operates at the Transport Layer and Secure Shell (SSH) that operates at the Application layer, IPsec can
automatically secure applications at the IP layer.

Question #:31 - (Exam Topic 1)

Which Intrusion Detection System is the best applicable for large environments where critical assets on the
network need extra scrutiny and is ideal for observing sensitive network segments?

A. Honeypots

B. Firewalls

C. Network-based intrusion detection system (NIDS)

D. Host-based intrusion detection system (HIDS)

Answer: C

Question #:32 - (Exam Topic 1)

Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or
stored?

A. symmetric algorithms

B. asymmetric algorithms

C. hashing algorithms

D. integrity algorithms

Answer: C

Question #:33 - (Exam Topic 1)

100% Success with DumpsPedia.com 18 of 368
Braindumps Questions ECCouncil - 312-50v12

While using your bank’s online servicing you notice the following string in the URL bar:

“http: // www. MyPersonalBank. com/ account?id=368940911028389&Damount=10980&Camount=21”

You observe that if you modify the Damount & Camount values and submit the request, that data on the web
page reflects the changes.

Which type of vulnerability is present on this site?

A. Cookie Tampering

B. SQL Injection

C. Web Parameter Tampering

D. XSS Reflection

Answer: C

Question #:34 - (Exam Topic 1)

Which method of password cracking takes the most time and effort?

A. Dictionary attack

B. Shoulder surfing

C. Rainbow tables

D. Brute force

Answer: D

Explanation
Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response
until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but
there is a better probability of success. In a traditional brute-force attack, the passcode or password is
incrementally increased by one letter/number each time until the right passcode/password is found.

Question #:35 - (Exam Topic 1)

Why should the security analyst disable/remove unnecessary ISAPI filters?

A. To defend against social engineering attacks

B. To defend against webserver attacks

C.

100% Success with DumpsPedia.com 19 of 368
Braindumps Questions ECCouncil - 312-50v12

C. To defend against jailbreaking

D. To defend against wireless attacks

Answer: B

Question #:36 - (Exam Topic 1)

The company ABC recently contracts a new accountant. The accountant will be working with the financial
statements. Those financial statements need to be approved by the CFO and then they will be sent to the
accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was
not modified once he approved it. Which of the following options can be useful to ensure the integrity of the
data?

A. The CFO can use a hash algorithm in the document once he approved the financial statements

B. The CFO can use an excel file with a password

C. The financial statements can be sent twice, one by email and the other delivered in USB and the
accountant can compare both to be sure is the same document

D. The document can be sent to the accountant using an exclusive USB for that document

Answer: A

Question #:37 - (Exam Topic 1)

What is a “Collision attack” in cryptography?

A. Collision attacks try to get the public key

B. Collision attacks try to break the hash into three parts to get the plaintext value

C. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private
key

D. Collision attacks try to find two inputs producing the same hash

Answer: D

Question #:38 - (Exam Topic 1)

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence
of packets sent to a Web server in the network’s external DMZ. The packet traffic was captured by the IDS
and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely

100% Success with DumpsPedia.com 20 of 368
Braindumps Questions ECCouncil - 312-50v12

malicious or simply a false positive?

A. Protocol analyzer

B. Network sniffer

C. Intrusion Prevention System (IPS)

D. Vulnerability scanner

Answer: A

Question #:39 - (Exam Topic 1)

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor". Here
is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.

A. John

B. Rebecca

C. Sheela

D. Shawn

E. Somia

F. Chang

G. Micah

Answer: F

Question #:40 - (Exam Topic 1)

What two conditions must a digital signature meet?

100% Success with DumpsPedia.com 21 of 368
Braindumps Questions ECCouncil - 312-50v12

A. Has to be the same number of characters as a physical signature and must be unique.

B. Has to be unforgeable, and has to be authentic.

C. Must be unique and have special characters.

D. Has to be legible and neat.

Answer: B

Question #:41 - (Exam Topic 1)

Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo Bank.
Kindly contact me for a vital transaction on: [email protected]”. Which statement below is true?

A. This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.

B. This is a scam because Bob does not know Scott.

C. Bob should write to [email protected] to verify the identity of Scott.

D. This is probably a legitimate message as it comes from a respectable organization.

Answer: A

Question #:42 - (Exam Topic 1)

Which of the following tools performs comprehensive tests against web servers, including dangerous files and
CGIs?

A. Nikto

B. John the Ripper

C. Dsniff

D. Snort

Answer: A

Explanation
https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner)

Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs,
outdated server software, and other problems. It performs generic and server types specific checks. It also

100% Success with DumpsPedia.com 22 of 368
Braindumps Questions ECCouncil - 312-50v12

captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to
drive the program are not.

Question #:43 - (Exam Topic 1)

A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to
evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an
attacker could circumvent perimeter defenses and gain access to the Prometric Online Testing – Reports
https://ibt1.prometric.com/users/custom/report_queue/rq_str... corporate network. What tool should the analyst
use to perform a Blackjacking attack?

A. Paros Proxy

B. BBProxy

C. Blooover

D. BBCrack

Answer: B

Question #:44 - (Exam Topic 1)

A company’s security policy states that all Web browsers must automatically delete their HTTP browser
cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

A. Attempts by attackers to access the user and password information stored in the company’s SQL
database.

B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s
authentication credentials.

C. Attempts by attackers to access password stored on the user’s computer without the user’s knowledge.

D. Attempts by attackers to determine the user’s Web browser usage patterns, including when sites were
visited and for how long.

Answer: B

Question #:45 - (Exam Topic 1)

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools
in his lab and is now ready for real world exploitation. He was able to effectively intercept communications
between the two entities and establish credentials with both sides of the connections. The two remote ends of
the communication never notice that Eric is relaying the information between the two. What would you call
this attack?

100% Success with DumpsPedia.com 23 of 368
Braindumps Questions ECCouncil - 312-50v12

A. Interceptor

B. Man-in-the-middle

C. ARP Proxy

D. Poisoning Attack

Answer: B

Question #:46 - (Exam Topic 1)

Your company was hired by a small healthcare provider to perform a technical assessment on the network.

What is the best approach for discovering vulnerabilities on a Windows-based computer?

A. Use the built-in Windows Update tool

B. Use a scan tool like Nessus

C. Check MITRE.org for the latest list of CVE findings

D. Create a disk image of a clean Windows installation

Answer: B

Question #:47 - (Exam Topic 1)

Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system.
Which TCP and UDP ports must you filter to check null sessions on your network?

A. 137 and 139

B. 137 and 443

C. 139 and 443

D. 139 and 445

Answer: D

Question #:48 - (Exam Topic 1)

Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform

100% Success with DumpsPedia.com 24 of 368
Braindumps Questions ECCouncil - 312-50v12

SNMP enquires over the network.

Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.

A. SNMPUtil

B. SNScan

C. SNMPScan

D. Solarwinds IP Network Browser

E. NMap

Answer: A B D

Question #:49 - (Exam Topic 1)

What is the minimum number of network connections in a multihomed firewall?

A. 3

B. 5

C. 4

D. 2

Answer: A

Question #:50 - (Exam Topic 1)

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges
which carry user logons. The user is plugged into a hub with 23 other systems.

However, he is unable to capture any logons though he knows that other users are logging in.

What do you think is the most likely reason behind this?

A. There is a NIDS present on that segment.

B. Kerberos is preventing it.

C. Windows logons cannot be sniffed.

D. L0phtcrack only sniffs logons to web servers.

100% Success with DumpsPedia.com 25 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: B

Question #:51 - (Exam Topic 1)

What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?

A. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use
symmetric encryption instead.

B. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.

C. Symmetric encryption allows the server to security transmit the session keys out-of-band.

D. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited to
securely negotiate keys for use with symmetric cryptography.

Answer: A

Question #:52 - (Exam Topic 1)

Which of the following tools can be used for passive OS fingerprinting?

A. nmap

B. tcpdump

C. tracert

D. ping

Answer: B

Question #:53 - (Exam Topic 1)

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router
was accessed from the administrator’s Computer to update the router configuration. What type of an alert is
this?

A. False negative

B. True negative

C. True positive

D. False positive

100% Success with DumpsPedia.com 26 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: D

Explanation
True Positive - IDS referring a behavior as an attack, in real life it is

True Negative - IDS referring a behavior not an attack and in real life it is not

False Positive - IDS referring a behavior as an attack, in real life it is not

False Negative - IDS referring a behavior not an attack, but in real life is an attack.

False Negative - is the most serious and dangerous state of all !!!!

Question #:54 - (Exam Topic 1)

DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on
switchers leverages the DHCP snooping database to help prevent man-in-the-middle attacks?

A. Spanning tree

B. Dynamic ARP Inspection (DAI)

C. Port security

D. Layer 2 Attack Prevention Protocol (LAPP)

Answer: B

Explanation
Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP)
packet spoofing (also known as ARP poisoning or ARP cache poisoning).

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to
validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against
entries in the DHCP snooping database, and filtering decisions are made based on the results of those
comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the
address with entries in the database. If the media access control (MAC) address or IP address in the ARP
packet does not match a valid entry in the DHCP snooping database, the packet is dropped.

Question #:55 - (Exam Topic 1)

What is the known plaintext attack used against DES which gives the result that encrypting plaintext with one
DES key followed by encrypting it with a second DES key is no more secure than using a single key?

A. Man-in-the-middle attack

B.

100% Success with DumpsPedia.com 27 of 368
Braindumps Questions ECCouncil - 312-50v12

B. Meet-in-the-middle attack

C. Replay attack

D. Traffic analysis attack

Answer: B

Explanation
https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic space–time tradeoff
cryptographic attack against encryption schemes that rely on performing multiple encryption operations in
sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key
(168-bit) can be bruteforced by an attacker with 256 space and 2112 operations.

The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is
possible to break ciphers, which have two or more secret keys for multiple encryption using the same
algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by
Diffie and Hellman for cryptanalysis of DES algorithm.

Question #:56 - (Exam Topic 1)

A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network.
What are some things he can do to prevent it? Select the best answers.

A. Use port security on his switches.

B. Use a tool like ARPwatch to monitor for strange ARP activity.

C. Use a firewall between all LAN segments.

D. If you have a small network, use static ARP entries.

E. Use only static IP addresses on all PC's.

Answer: A B D

Question #:57 - (Exam Topic 1)

You have the SOA presented below in your Zone.

Your secondary servers have not been able to contact your primary server to synchronize information. How
long will the secondary servers attempt to contact the primary server before it considers that zone is dead and
stops responding to queries?

collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

100% Success with DumpsPedia.com 28 of 368
Braindumps Questions ECCouncil - 312-50v12

A. One day

B. One hour

C. One week

D. One month

Answer: C

Question #:58 - (Exam Topic 1)

A bank stores and processes sensitive privacy information related to home loans. However, auditing has never
been enabled on the system. What is the first step that the bank should take before enabling the audit feature?

A. Perform a vulnerability scan of the system.

B. Determine the impact of enabling the audit feature.

C. Perform a cost/benefit analysis of the audit feature.

D. Allocate funds for staffing of audit log review.

Answer: B

Question #:59 - (Exam Topic 1)

Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

A. nessus

B. tcpdump

C. ethereal

D. jack the ripper

Answer: B

Explanation
Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It
allows the user to display TCP/IP and other packets being transmitted or received over a network to which the
computer is attached. Distributed under the BSD license, tcpdump is free software.

https://www.wireshark.org/

100% Success with DumpsPedia.com 29 of 368
Braindumps Questions ECCouncil - 312-50v12

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software
and communications protocol development, and education.

NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and
filtering options.

Question #:60 - (Exam Topic 1)

Which of the following tools are used for enumeration? (Choose three.)

A. SolarWinds

B. USER2SID

C. Cheops

D. SID2USER

E. DumpSec

Answer: B D E

Question #:61 - (Exam Topic 1)

What is the role of test automation in security testing?

A. It is an option but it tends to be very expensive.

B. It should be used exclusively. Manual testing is outdated because of low speed and possible test setup
inconsistencies.

C. Test automation is not usable in security due to the complexity of the tests.

D. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace
manual testing completely.

Answer: D

Question #:62 - (Exam Topic 1)

In the field of cryptanalysis, what is meant by a “rubber-hose” attack?

A. Forcing the targeted keystream through a hardware-accelerated device such as an ASIC.

B. A backdoor placed into a cryptographic algorithm by its creator.

100% Success with DumpsPedia.com 30 of 368
Braindumps Questions ECCouncil - 312-50v12

C. Extraction of cryptographic secrets through coercion or torture.

D. Attempting to decrypt ciphertext by making logical assumptions about the contents of the original
plaintext.

Answer: C

Explanation
A powerful and often the most effective cryptanalysis method in which the attack is directed at the most
vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail, threats, torture,
extortion, bribery, etc. This method's main advantage is the decryption time's fundamental independence from
the volume of secret information, the length of the key, and the cipher's mathematical strength.

The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it
requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this
course and is not considered in its practical part.

Question #:63 - (Exam Topic 1)

A large mobile telephony and data network operator has a data center that houses network elements. These are
essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and
IPS systems.

What is the best security policy concerning this setup?

A. Network elements must be hardened with user ids and strong passwords. Regular security tests and
audits should be performed.

B. As long as the physical access to the network elements is restricted, there is no need for additional
measures.

C. There is no need for specific security measures on the network elements as long as firewalls and IPS
systems exist.

D. The operator knows that attacks and down time are inevitable and should have a backup site.

Answer: A

Question #:64 - (Exam Topic 1)

One of your team members has asked you to analyze the following SOA record. What is the version?

Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)

A. 200303028

B. 3600

100% Success with DumpsPedia.com 31 of 368
Braindumps Questions ECCouncil - 312-50v12

C. 604800

D. 2400

E. 60

F. 4800

Answer: A

Question #:65 - (Exam Topic 1)

By using a smart card and pin, you are using a two-factor authentication that satisfies

A. Something you are and something you remember

B. Something you have and something you know

C. Something you know and something you are

D. Something you have and something you are

Answer: B

Explanation
Two-factor Authentication or 2FA is a user identity verification method, where two of the three possible
authentication factors are combined to grant access to a website or application.1) something the user knows, 2)
something the user has, or 3) something the user is.

The possible factors of authentication are:

· Something the User Knows:

This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge, the user
must provide information that matches the answers previously provided to the organization by that user, such
as “Name the town in which you were born.”

· Something the User Has:

This involves entering a one-time password generated by a hardware authenticator. Users carry around an
authentication device that will generate a one-time password on command. Users then authenticate by
providing this code to the organization. Today, many organizations offer software authenticators that can be
installed on the user’s mobile device.

· Something the User Is:

This third authentication factor requires the user to authenticate using biometric data. This can include

100% Success with DumpsPedia.com 32 of 368
Braindumps Questions ECCouncil - 312-50v12

fingerprint scans, facial scans, behavioral biometrics, and more.

For example: In internet security, the most used factors of authentication are:

something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is
two-factor authentication. Two-factor authentication is also sometimes referred to as strong authentication,
Two-Step Verification, or 2FA.

The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) is that,
as the term implies, Two-Factor Authentication utilizes a combination of two out of three possible
authentication factors. In contrast, Multi-Factor Authentication could utilize two or more of these
authentication factors.

Question #:66 - (Exam Topic 1)

A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of
the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's
access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the
contents of the tarball and ran the script using a function provided by the FTP server's software. The “ps”
command shows that the “nc” file is running as process, and the netstat command shows the “nc” process is
listening on a network port.

What kind of vulnerability must be present to make this remote attack possible?

A. File system permissions

B. Privilege escalation

C. Directory traversal

D. Brute force login

Answer: A

Explanation
File system permissions

Processes may automatically execute specific binaries as part of their functionality or to perform other actions.
If the permissions on the file system directory containing a target binary, or permissions on the binary itself,
are improperly set, then the target binary may be overwritten with another binary using user-level permissions
and executed by the original process. If the original process and thread are running under a higher permissions
level, then the replaced binary will also execute under higher-level permissions, which could include
SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing
code at a higher permissions level. If the executing process is set to run at a specific time or during a certain
event (e.g., system bootup) then this technique can also be used for persistence.

100% Success with DumpsPedia.com 33 of 368
Braindumps Questions ECCouncil - 312-50v12

Question #:67 - (Exam Topic 1)

What does a firewall check to prevent particular ports and applications from getting packets into an
organization?

A. Transport layer port numbers and application layer headers

B. Presentation layer headers and the session layer port numbers

C. Network layer headers and the session layer port numbers

D. Application layer port numbers and the transport layer headers

Answer: A

Question #:68 - (Exam Topic 1)

Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a
linux platform?

A. Kismet

B. Abel

C. Netstumbler

D. Nessus

Answer: A

Explanation
https://en.wikipedia.org/wiki/Kismet_(software)

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet
will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b,
802.11g, and 802.11n traffic.

Question #:69 - (Exam Topic 1)

The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common Vulnerabilities
and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the Transport
Layer Security (TLS) protocols defined in RFC6520.

What type of key does this bug leave exposed to the Internet making exploitation of any compromised system
very easy?

A. Public

100% Success with DumpsPedia.com 34 of 368
Braindumps Questions ECCouncil - 312-50v12

B. Private

C. Shared

D. Root

Answer: B

Question #:70 - (Exam Topic 1)

Which system consists of a publicly available set of databases that contain domain name registration contact
information?

A. WHOIS

B. CAPTCHA

C. IANA

D. IETF

Answer: A

Question #:71 - (Exam Topic 1)

Which of the following is assured by the use of a hash?

A. Authentication

B. Confidentiality

C. Availability

D. Integrity

Answer: D

Question #:72 - (Exam Topic 1)

Study the snort rule given below:

100% Success with DumpsPedia.com 35 of 368
Braindumps Questions ECCouncil - 312-50v12

From the options below, choose the exploit against which this rule applies.

A. WebDav

B. SQL Slammer

C. MS Blaster

D. MyDoom

Answer: C

Question #:73 - (Exam Topic 1)

Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?

A. 113

B. 69

C. 123

D. 161

Answer: C

Explanation
https://en.wikipedia.org/wiki/Network_Time_Protocol

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer
systems over packet-switched, variable-latency data networks.

NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated

100% Success with DumpsPedia.com 36 of 368
Braindumps Questions ECCouncil - 312-50v12

Universal Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm, to select
accurate time servers and is designed to mitigate variable network latency effects. NTP can usually maintain
time to within tens of milliseconds over the public Internet and achieve better than one millisecond accuracy in
local area networks. Asymmetric routes and network congestion can cause errors of 100 ms or more.

The protocol is usually described in terms of a client-server model but can easily be used in peer-to-peer
relationships where both peers consider the other to be a potential time source. Implementations send and
receive timestamps using the User Datagram Protocol (UDP) on port number 123.

Question #:74 - (Exam Topic 1)

Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was
located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One
night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason
Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's
message ''Hacker Message: You are dead! Freaks!” From his office, which was directly connected to Mason
Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site
looked completely intact.

No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The
Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend
could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this
problem, Joseph decided to access the Web site using hisdial-up ISP. He disconnected his laptop from the
corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem
connected, he quickly typed www.masonins.com in his browser to reveal the following web page:

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and
used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and
determined that every system file and all the Web content on the server were intact. How did the attacker
accomplish this hack?

A. ARP spoofing

B. SQL injection

C. DNS poisoning

D. Routing table injection

Answer: C

Question #:75 - (Exam Topic 1)

You are the Network Admin, and you get a complaint that some of the websites are no longer accessible. You

100% Success with DumpsPedia.com 37 of 368
Braindumps Questions ECCouncil - 312-50v12

try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the
browser, and find it to be accessible. But they are not accessible when you try using the URL.

What may be the problem?

A. Traffic is Blocked on UDP Port 53

B. Traffic is Blocked on TCP Port 80

C. Traffic is Blocked on TCP Port 54

D. Traffic is Blocked on UDP Port 80

Answer: A

Explanation
Most likely have an issue with DNS.

DNS stands for “Domain Name System.” It’s a system that lets you connect to websites by matching
human-readable domain names (like example.com) with the server's unique ID where a website is stored.

Think of the DNS system as the internet’s phonebook. It lists domain names with their corresponding
identifiers called IP addresses, instead of listing people’s names with their phone numbers. When a user enters
a domain name like wpbeginner.com on their device, it looks up the IP address and connects them to the
physical location where that website is stored.

NOTE: Often DNS lookup information will be cached locally inside the querying computer or remotely in the
DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are
skipped from the DNS lookup process, making it quicker. The example below outlines all 8 steps when
nothing is cached.

The 8 steps in a DNS lookup:

1. A user types ‘example.com’ into a web browser, and the query travels into the Internet and is received by a
DNS recursive resolver;

2. The resolver then queries a DNS root nameserver;

3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS server
(such as.com or.net), which stores the information for its domains. When searching for example.com, our
request is pointed toward the.com TLD;

4. The resolver then requests the.com TLD;

5. The TLD server then responds with the IP address of the domain’s nameserver, example.com;

6. Lastly, the recursive resolver sends a query to the domain’s nameserver;

7. The IP address for example.com is then returned to the resolver from the nameserver;

100% Success with DumpsPedia.com 38 of 368
Braindumps Questions ECCouncil - 312-50v12

8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially;

Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser can request the
web page:

9. The browser makes an HTTP request to the IP address;

10. The server at that IP returns the webpage to be rendered in the browser.

NOTE 2: DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. And if
this port is blocked, then a problem arises already in the first step. But the ninth step is performed without
problems.

Question #:76 - (Exam Topic 1)

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token
performs off-line checking for the correct PIN, what type of attack is possible?

A. Birthday

B. Brute force

C. Man-in-the-middle

D. Smurf

Answer: B

Question #:77 - (Exam Topic 1)

What did the following commands determine?

A. That the Joe account has a SID of 500

B. These commands demonstrate that the guest account has NOT been disabled

C. These commands demonstrate that the guest account has been disabled

D. That the true administrator is Joe

E. Issued alone, these commands prove nothing

100% Success with DumpsPedia.com 39 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: D

Question #:78 - (Exam Topic 1)

What does the –oX flag do in an Nmap scan?

A. Perform an eXpress scan

B. Output the results in truncated format to the screen

C. Output the results in XML format to a file

D. Perform an Xmas scan

Answer: C

Explanation
https://nmap.org/book/man-output.html

-oX - Requests that XML output be directed to the given filename.

Question #:79 - (Exam Topic 1)

Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites.

Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their
interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for
malevolent attacks as well.

In this context, what would be the most effective method to bridge the knowledge gap between the "black"
hats or crackers and the "white" hats or computer security professionals? (Choose the test answer.)

A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.

B. Hire more computer security monitoring personnel to monitor computer systems and networks.

C. Make obtaining either a computer security certification or accreditation easier to achieve so more
individuals feel that they are a part of something larger than life.

D. Train more National Guard and reservist in the art of computer security to help out in times of
emergency or crises.

Answer: A

Question #:80 - (Exam Topic 1)

100% Success with DumpsPedia.com 40 of 368
Braindumps Questions ECCouncil - 312-50v12

You need to deploy a new web-based software package for your organization. The package requires three
separate servers and needs to be available on the Internet. What is the recommended architecture in terms of
server placement?

A. All three servers need to be placed internally

B. A web server facing the Internet, an application server on the internal network, a database server on the
internal network

C. A web server and the database server facing the Internet, an application server on the internal network

D. All three servers need to face the Internet so that they can communicate between themselves

Answer: B

Question #:81 - (Exam Topic 1)

Which of the following Linux commands will resolve a domain name into IP address?

A. >host-t a hackeddomain.com

B. >host-t ns hackeddomain.com

C. >host -t soa hackeddomain.com

D. >host -t AXFR hackeddomain.com

Answer: A

Question #:82 - (Exam Topic 1)

Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly
configures the firewall to allow access just to servers/ports, which can have direct internet access, and block
the access to workstations.

Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of
TPNQM SA.

In this context, what can you say?

A. Bob can be right since DMZ does not make sense when combined with stateless firewalls

B. Bob is partially right. He does not need to separate networks if he can create rules by destination IPs,
one by one

C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations

D.

100% Success with DumpsPedia.com 41 of 368
Braindumps Questions ECCouncil - 312-50v12

D. Bob is partially right. DMZ does not make sense when a stateless firewall is available

Answer: C

Question #:83 - (Exam Topic 1)

Which address translation scheme would allow a single public IP address to always correspond to a single
machine on an internal network, allowing "server publishing"?

A. Overloading Port Address Translation

B. Dynamic Port Address Translation

C. Dynamic Network Address Translation

D. Static Network Address Translation

Answer: D

Question #:84 - (Exam Topic 1)

Which type of security feature stops vehicles from crashing through the doors of a building?

A. Bollards

B. Receptionist

C. Mantrap

D. Turnstile

Answer: A

Question #:85 - (Exam Topic 1)

The collection of potentially actionable, overt, and publicly available information is known as

A. Open-source intelligence

B. Real intelligence

C. Social intelligence

D. Human intelligence

100% Success with DumpsPedia.com 42 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: A

Question #:86 - (Exam Topic 1)

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS
security?

A. Use the same machines for DNS and other applications

B. Harden DNS servers

C. Use split-horizon operation for DNS servers

D. Restrict Zone transfers

E. Have subnet diversity between DNS servers

Answer: B C D E

Question #:87 - (Exam Topic 1)

Which of the following program infects the system boot sector and the executable files at the same time?

A. Polymorphic virus

B. Stealth virus

C. Multipartite Virus

D. Macro virus

Answer: C

Question #:88 - (Exam Topic 1)

Which of the following represents the initial two commands that an IRC client sends to join an IRC network?

A. USER, NICK

B. LOGIN, NICK

C. USER, PASS

D. LOGIN, USER

100% Success with DumpsPedia.com 43 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: A

Question #:89 - (Exam Topic 1)

A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software
as many of the other clients on the network. The client can see the network, but cannot connect. A wireless
packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being
sent by the wireless client. What is a possible source of this problem?

A. The WAP does not recognize the client’s MAC address

B. The client cannot see the SSID of the wireless network

C. Client is configured for the wrong channel

D. The wireless client is not configured to use DHCP

Answer: A

Explanation
https://en.wikipedia.org/wiki/MAC_filtering

MAC filtering is a security method based on access control. Each address is assigned a 48-bit address, which
is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that
you need on your Wi-Fi and the list of denied devices that you don’t want on your Wi-Fi. It helps in
preventing unwanted access to the network. In a way, we can blacklist or white list certain computers based on
their MAC address. We can configure the filter to allow connection only to those devices included in the white
list. White lists provide greater security than blacklists because the router grants access only to selected
devices.

It is used on enterprise wireless networks having multiple access points to prevent clients from communicating
with each other. The access point can be configured only to allow clients to talk to the default gateway, but not
other wireless clients. It increases the efficiency of access to a network.

The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose
which devices can connect to your network. The router has several functions designed to improve the
network's security, but not all are useful. Media access control may seem advantageous, but there are certain
flaws.

On a wireless network, the device with the proper credentials such as SSID and password can authenticate
with the router and join the network, which gets an IP address and access to the internet and any shared
resources.

MAC address filtering adds an extra layer of security that checks the device’s MAC address against a list of
agreed addresses. If the client’s address matches one on the router’s list, access is granted; otherwise, it
doesn’t join the network.

100% Success with DumpsPedia.com 44 of 368
Braindumps Questions ECCouncil - 312-50v12

Question #:90 - (Exam Topic 1)

What is the proper response for a NULL scan if the port is open?

A. SYN

B. ACK

C. FIN

D. PSH

E. RST

F. No response

Answer: F

Question #:91 - (Exam Topic 1)

What is not a PCI compliance recommendation?

A. Use a firewall between the public network and the payment card data.

B. Use encryption to protect all transmission of card holder data over any public network.

C. Rotate employees handling credit card transactions on a yearly basis to different departments.

D. Limit access to card holder data to as few individuals as possible.

Answer: C

Explanation
https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

100% Success with DumpsPedia.com 45 of 368
Braindumps Questions ECCouncil - 312-50v12

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors.

Question #:92 - (Exam Topic 1)

Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not encrypt
email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can
upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is
encrypted. What is the name of the command used by SMTP to transmit email over TLS?

A. OPPORTUNISTICTLS

B. UPGRADETLS

C. FORCETLS

D. STARTTLS

Answer: D

Question #:93 - (Exam Topic 1)

Susan has attached to her company's network. She has managed to synchronize her boss's sessions with that of
the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and
then placed it on the server in his home directory.

What kind of attack is Susan carrying on?

A.

100% Success with DumpsPedia.com 46 of 368
Braindumps Questions ECCouncil - 312-50v12

A. A sniffing attack

B. A spoofing attack

C. A man in the middle attack

D. A denial of service attack

Answer: C

Question #:94 - (Exam Topic 1)

Steve, a scientist who works in a governmental security agency, developed a technological solution to identify
people based on walking patterns and implemented this approach to a physical control access.

A camera captures people walking and identifies the individuals using Steve’s approach.

After that, people must approximate their RFID badges. Both the identifications are required to open the door.
In this case, we can say:

A. Although the approach has two phases, it actually implements just one authentication factor

B. The solution implements the two authentication factors: physical object and physical characteristic

C. The solution will have a high level of false positives

D. Biological motion cannot be used to identify people

Answer: B

Question #:95 - (Exam Topic 1)

Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in
the wired network to have Internet access. In the university campus, there are many Ethernet ports available
for professors and authorized visitors but not for students.

He identified this when the IDS alerted for malware activities in the network. What should Bob do to avoid
this problem?

A. Disable unused ports in the switches

B. Separate students in a different VLAN

C. Use the 802.1x protocol

D. Ask students to use the wireless network

100% Success with DumpsPedia.com 47 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: C

Question #:96 - (Exam Topic 1)

Which of the following incident handling process phases is responsible for defining rules, collaborating human
workforce, creating a back-up plan, and testing the plans for an organization?

A. Preparation phase

B. Containment phase

C. Identification phase

D. Recovery phase

Answer: A

Question #:97 - (Exam Topic 1)

Why is a penetration test considered to be more thorough than vulnerability scan?

A. Vulnerability scans only do host discovery and port scanning by default.

B. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability
scan does not typically involve active exploitation.

C. It is not – a penetration test is often performed by an automated tool, while a vulnerability scan requires
active engagement.

D. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.

Answer: B

Question #:98 - (Exam Topic 1)

Your company performs penetration tests and security assessments for small and medium-sized business in the
local area. During a routine security assessment, you discover information that suggests your client is involved
with human trafficking.

What should you do?

A. Confront the client in a respectful manner and ask her about the data.

B. Copy the data to removable media and keep it in case you need it.

C.

100% Success with DumpsPedia.com 48 of 368
Braindumps Questions ECCouncil - 312-50v12

C. Ignore the data and continue the assessment until completed as agreed.

D. Immediately stop work and contact the proper legal authorities.

Answer: D

Question #:99 - (Exam Topic 1)

env x=’(){ :;};echo exploit’ bash –c ‘cat/etc/passwd’

What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?

A. Removes the passwd file

B. Changes all passwords in passwd

C. Add new user to the passwd file

D. Display passwd content to prompt

Answer: D

Question #:100 - (Exam Topic 1)

Based on the following extract from the log of a compromised machine, what is the hacker really trying to
steal?

A. har.txt

B. SAM file

C. wwwroot

D. Repair file

Answer: B

Question #:101 - (Exam Topic 1)

“........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the
premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of
the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted
hot-spot by posing as a legitimate provider. This type of attack may be used to steal the passwords of

unsuspecting users by either snooping the communication link or by phishing, which involves setting up a

100% Success with DumpsPedia.com 49 of 368
Braindumps Questions ECCouncil - 312-50v12

fraudulent web site and luring people there.”

Fill in the blank with appropriate choice.

A. Evil Twin Attack

B. Sinkhole Attack

C. Collision Attack

D. Signal Jamming Attack

Answer: A

Explanation
https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)

An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate
access point to steal victims’ sensitive details. Most often, the victims of such attacks are ordinary people like
you and me.

The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to
eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns
the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank
transactions.

An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the
evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their
login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might
simply disconnect the victim and show that the server is temporarily unavailable.

ADDITION: It may not seem obvious what happened. The problem is in the question statement. The attackers
were not Alice and John, who were able to connect to the network without a password, but on the contrary,
they were attacked and forced to connect to a fake network, and not to the real network belonging to Jane.

Question #:102 - (Exam Topic 1)

A zone file consists of which of the following Resource Records (RRs)?

A. DNS, NS, AXFR, and MX records

B. DNS, NS, PTR, and MX records

C. SOA, NS, AXFR, and MX records

D. SOA, NS, A, and MX records

Answer: D

100% Success with DumpsPedia.com 50 of 368
Braindumps Questions ECCouncil - 312-50v12

Question #:103 - (Exam Topic 1)

Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal
email used by the target company. This includes using logos, formatting, and names of the target company.
The phishing message will often use the name of the company CEO, President, or Managers. The time a
hacker spends performing research to locate this information about a company is known as?

A. Exploration

B. Investigation

C. Reconnaissance

D. Enumeration

Answer: C

Explanation
Cyber Kill Chain Methodology 1. Reconnaissance - Gathering information about the target.

Question #:104 - (Exam Topic 1)

You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort
installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your
network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run
wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What Wireshark
filter will show the connections from the snort machine to kiwi syslog machine?

A. tcp.srcport= = 514 && ip.src= = 192.168.0.99

B. tcp.srcport= = 514 && ip.src= = 192.168.150

C. tcp.dstport= = 514 && ip.dst= = 192.168.0.99

D. tcp.dstport= = 514 && ip.dst= = 192.168.0.150

Answer: D

Question #:105 - (Exam Topic 1)

Which results will be returned with the following Google search query? site:target.com –
site:Marketing.target.com accounting

A. Results from matches on the site marketing.target.com that are in the domain target.com but do not
include the word accounting.

100% Success with DumpsPedia.com 51 of 368
Braindumps Questions ECCouncil - 312-50v12

B. Results matching all words in the query.

C. Results for matches on target.com and Marketing.target.com that include the word “accounting”

D. Results matching “accounting” in domain target.com but not on the site Marketing.target.com

Answer: D

Question #:106 - (Exam Topic 1)

Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter
doing?

A. Scanning

B. Footprinting

C. Enumeration

D. System Hacking

Answer: B

Question #:107 - (Exam Topic 1)

During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web
enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is
inspecting outbound traffic?

A. Circuit

B. Stateful

C. Application

D. Packet Filtering

Answer: C

Explanation
https://en.wikipedia.org/wiki/Internet_Relay_Chat

Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The chat
process works on a client/server networking model. IRC clients are computer programs that users can install
on their system or web-based applications running either locally in the browser or on a third-party server.

100% Success with DumpsPedia.com 52 of 368
Braindumps Questions ECCouncil - 312-50v12

These clients communicate with chat servers to transfer messages to other clients.

IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running the
service on this port requires running it with root-level permissions, which is inadvisable. As a result, the
well-known port for IRC is 6667, a high-number port that does not require elevated privileges. However, an
IRC server can also be configured to run on other ports as well.

You can't tell if an IRC server is designed to be malicious solely based on port number. Still, if you see an IRC
server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be malicious; the only
real reason for IRCD to be running on port 80 is to try to evade firewalls.

https://en.wikipedia.org/wiki/Application_firewall

An application firewall is a form of firewall that controls input/output or system calls of an application or
service. It operates by monitoring and blocking communications based on a configured policy, generally with
predefined rule sets to choose from. The application firewall can control communications up to the OSI
model's application layer, which is the highest operating layer, and where it gets its name. The two primary
categories of application firewalls are network-based and host-based.

Application layer filtering operates at a higher level than traditional security appliances. This allows packet
decisions to be made based on more than just source/destination IP Addresses or ports. It can also use
information spanning across multiple connections for any given host.

Network-based application firewalls

Network-based application firewalls operate at the application layer of a TCP/IP stack. They can understand
certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or
Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a
non-standard port or detect if an allowed protocol is being abused.

Host-based application firewalls

A host-based application firewall monitors application system calls or other general system communication.
This gives more granularity and control but is limited to only protecting the host it is running on. Control is
applied by filtering on a per-process basis. Generally, prompts are used to define rules for processes that have
not yet received a connection. Further filtering can be done by examining the process ID of the owner of the
data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.

Question #:108 - (Exam Topic 1)

Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the
following best describes this type of system?

A. A biometric system that bases authentication decisions on behavioral attributes.

B. A biometric system that bases authentication decisions on physical attributes.

C. An authentication system that creates one-time passwords that are encrypted with secret keys.

D. An authentication system that uses passphrases that are converted into virtual passwords.

100% Success with DumpsPedia.com 53 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: C

Question #:109 - (Exam Topic 1)

To determine if a software program properly handles a wide range of invalid input, a form of automated
testing can be used to randomly generate invalid input in an attempt to crash the program.

What term is commonly used when referring to this type of testing?

A. Randomizing

B. Bounding

C. Mutating

D. Fuzzing

Answer: D

Question #:110 - (Exam Topic 1)

Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

A. ESP transport mode

B. ESP confidential

C. AH permiscuous

D. AH Tunnel mode

Answer: A

Question #:111 - (Exam Topic 1)

Which is the first step followed by Vulnerability Scanners for scanning a network?

A. OS Detection

B. Firewall detection

C. TCP/UDP Port scanning

D. Checking if the remote host is alive

100% Success with DumpsPedia.com 54 of 368
Braindumps Questions ECCouncil - 312-50v12

Answer: D

Explanation
Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three
steps:

1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using
various scanning techniques.

2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the
next step is to enumerate the open ports and services and the operating system on the target systems.

3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and
the operating system running on the target nodes, they are tested for known vulnerabilities.

Question #:112 - (Exam Topic 1)

Study the following log extract and identify the attack.

100% Success with DumpsPedia.com 55 of 368
Braindumps Questions ECCouncil - 312-50v12

A. Hexcode Attack

B. Cross Site Scripting

C. Multiple Domain Traversal Attack

D. Unicode Directory Traversal Attack

Answer: D

Question #:113 - (Exam Topic 1)

Which of the following is not a Bluetooth attack?

A. Bluedriving

B.

100% Success with DumpsPedia.com 56 of 368
Braindumps Questions ECCouncil - 312-50v12

B. Bluesmacking

C. Bluejacking

D. Bluesnarfing

Answer: A

Explanation
https://github.com/verovaleros/bluedriving

Bluedriving is a bluetooth wardriving utility. It can capture bluetooth devices, lookup their services, get GPS
information and present everything in a nice web page. It can search for and show a lot of information about
the device, the GPS address and the historic location of devices on a map. The main motivation of this tool is
to research about the targeted surveillance of people by means of its cellular phone or car. With this tool you
can capture information about bluetooth devices and show, on a map, the points where you have seen the same
device in the past.

Question #:114 - (Exam Topic 1)

You are tasked to perform a penetration test. While you are performing information gathering, you find an
employee list in Google. You find the receptionist’s email, and you send her an email changing the source
email to her boss’s email (boss@company). In this email, you ask for a pdf with information. She reads your
email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links
contain malware) and send back the modified pdf, saying that the links don’t work. She reads your email,
opens the links, and her machine gets infected. You now have access to the company network. What testing
method did you use?

A. Social engineering

B. Piggybacking

C. Tailgating

D. Eavesdropping

Answer: A

Explanation
Social engineering is the term used for a broad range of malicious activities accomplished through human
interactions. It uses psychological manipulation to trick users into making security mistakes or giving away
sensitive information.

Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise
unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social
engineering involve