Want to know Testking 312-50 Exam practice test features? Want to lear more about EC-Council Ethical Hacking and Countermeasures (CEHv6) certification experience? Study Downloadable EC-Council 312-50 answers to Up to date 312-50 questions at Testking. Gat a success with an absolute guarantee to pass EC-Council 312-50 (Ethical Hacking and Countermeasures (CEHv6)) test on your first attempt.

Q431. An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS? 

Select the best answer. 

A. Firewalk 

B. Manhunt 

C. Fragrouter 

D. Fragids 



Firewalking is a way to disguise a portscan. Thus, firewalking is not a tool, but a method of conducting a port scan in which it can be hidden from some firewalls. Synamtec Man-Hunt is an IDS, not a tool to evade an IDS. Fragrouter is a tool that can take IP traffic and fragment it into multiple pieces. There is a legitimate reason that fragmentation is done, but it is also a technique that can help an attacker to evade detection while Fragids is a made-up tool and does not exist. 

Q432. If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response? 

A. The zombie computer will respond with an IPID of 24334. 

B. The zombie computer will respond with an IPID of 24333. 

C. The zombie computer will not send a response. 

D. The zombie computer will respond with an IPID of 24335. 

Answer: C

Q433. What does the following command achieve? 

Telnet <IP Address> <Port 80> 




A. This command returns the home page for the IP address specified 

B. This command opens a backdoor Telnet session to the IP address specified 

C. This command returns the banner of the website specified by IP address 

D. This command allows a hacker to determine the sites security 

E. This command is bogus and will accomplish nothing 

Answer: C

Explanation: This command is used for banner grabbing. Banner grabbing helps identify the service and version of web server running. 

Q434. uffer X is an Accounting application module for company can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted. Dave decided to insert 400 characters into the 200-character buffer which overflows the buffer. Below is the code snippet: 

Void func (void) 

{int I; char buffer [200]; 

for (I=0; I<400; I++) 

buffer (I)= ‘A’; 


How can you protect/fix the problem of your application as shown above? (Choose two) 

A. Because the counter starts with 0, we would stop when the counter is less then 200. 

B. Because the counter starts with 0, we would stop when the counter is more than 200. 

C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data. 

D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data. 

Answer: AC

Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200. 

Q435. Symmetric encryption algorithms are known to be fast but present great challenges on the key management side. Asymmetric encryption algorithms are slow but allow communication with a remote host without having to transfer a key out of band or in person. If we combine the strength of both crypto systems where we use the symmetric algorithm to encrypt the bulk of the data and then use the asymmetric encryption system to encrypt the symmetric key, what would this type of usage be known as? 

A. Symmetric system 

B. Combined system 

C. Hybrid system 

D. Asymmetric system 

Answer: C

Explanation: Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly "hybrid" systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed. 

Q436. Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!'' 

From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page: 

H@cker Mess@ge: 

Y0u @re De@d! Fre@ks! 

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact. 

How did the attacker accomplish this hack? 

A. ARP spoofing 

B. SQL injection 

C. DNS poisoning 

D. Routing table injection 

Answer: C

Explanation: External calls for the Web site has been redirected to another server by a successful DNS poisoning. 

Q437. Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? 

Select the best answer. 

A. archive.org 

B. There is no way to get the changed webpage unless you contact someone at the company 

C. Usenet 

D. Javascript would not be in their html so a service like usenet or archive wouldn't help you 



Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code. 

Q438. Sara is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Sara is trying to accomplish? Select the best answer. 

A. A zone harvesting 

B. A zone transfer 

C. A zone update 

D. A zone estimate 

Answer: B

Explanation: The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented. By connecting to a specific DNS server and successfully issuing the ls –d domain-name > file-name you have initiated a zone transfer. 

Q439. There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? 

Select the best answers. 

A. Emulators of vulnerable programs 

B. More likely to be penetrated 

C. Easier to deploy and maintain 

D. Tend to be used for production 

E. More detectable 

F. Tend to be used for research 

Answer: ACDE


A low interaction honeypot would have emulators of vulnerable programs, not the real programs. 

A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator. 

Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don't usually crash or destroy these types of programs and it would require little maintenance. 

A low interaction honeypot tends to be used for production. 

Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a honeypot. 

A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research. 

Q440. Which of the following tools are used for footprinting?(Choose four. 

A. Sam Spade 

B. NSLookup 

C. Traceroute 

D. Neotrace 

E. Cheops 

Answer: ABCD 

Explanation: All of the tools listed are used for footprinting except Cheops.