Proper study guides for Regenerate EC-Council Ethical Hacking and Countermeasures (CEHv6) certified begins with EC-Council 312-50 preparation products which designed to deliver the Actual 312-50 questions by making you pass the 312-50 test at your first time. Try the free 312-50 demo right now.

Q166. An attacker has been successfully modifying the purchase price of items purchased at a web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the IDS logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the price? 

A. By using SQL injection 

B. By using cross site scripting 

C. By changing hidden form values in a local copy of the web page 

D. There is no way the attacker could do this without directly compromising either the web server or the database 

Answer: C

Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database. 

Q167. During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? 

A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. 

B. Send your attack traffic and look for it to be dropped by the IDS. 

C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. 

D. The sniffing interface cannot be detected. 

Answer: D

Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected. 

Q168. Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack? 

A. Timestamps 

B. SMB Signing 

C. File permissions 

D. Sequence numbers monitoring 

Answer: ABD

Q169. Here is the ASCII Sheet. 

You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique. 

What is the correct syntax? 

A. Option A 

B. Option B 

C. Option C 

D. Option D 

Answer: A

Q170. Exhibit: 

You are conducting pen-test against a company’s website using SQL Injection techniques. You enter “anuthing or 1=1-“ in the username filed of an authentication form. This is the output returned from the server. 

What is the next step you should do? 

A. Identify the user context of the web application by running_ 


USER_NAME() = ‘dbo’ 

B. Identify the database and table name by running: AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype=’U’),1))) > 109 

C. Format the C: drive and delete the database by running: AND xp_cmdshell ‘format c: /q /yes ‘; drop database myDB; --

D. Reboot the web server by running: AND xp_cmdshell ‘iisreset –reboot’; --

Answer: A

Q171. You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open. 

Which one of the following statements is probably true? 

A. The systems have all ports open. 

B. The systems are running a host based IDS. 

C. The systems are web servers. 

D. The systems are running Windows. 

Answer: D

Explanation: The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. If the port is closed, a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to distinguish that the system being scanned is running Microsoft Windows. 

Q172. Jack Hackers wants to break into Brown’s Computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co. pretending to be an administrator from Brown Co. Jack tell Jane that there has been a problem with some accounts and asks her to verify her password with him “just to double check our records”. Jane does not suspect anything amiss and parts her password. Jack can now access Brown Co.’s computer with a valid username and password to steal the cookie recipe. What kind of attack is being illustrated here? 

A. Faking Identity 

B. Spoofing Identity 

C. Social Engineering 

D. Reverse Psychology 

E. Reverse Engineering 

Answer: C

Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim. 

Q173. Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. 

Which of the choices below indicate the other features offered by Snort? 

A. IDS, Packet Logger, Sniffer 

B. IDS, Firewall, Sniffer 

C. IDS, Sniffer, Proxy 

D. IDS, Sniffer, content inspector 

Answer: A

Explanation: Snort is a free software network intrusion detection and prevention system capable of performing packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire 

Q174. June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus? 

A. No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus 

B. Yes. June can use an antivirus program since it compares the parity bit of executable files to the database of known check sum counts and it is effective on a polymorphic virus 

C. Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus 

D. No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program 

Answer: D

Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses. 

Q175. Daryl is a network administrator working for Dayton Technologies. Since Daryl’s background is in web application development, many of the programs and applications his company uses are web-based. Daryl sets up a simple forms-based logon screen for all the applications he creates so they are secure. 

The problem Daryl is having is that his users are forgetting their passwords quite often and sometimes he does not have the time to get into his applications and change the passwords for them. Daryl wants a tool or program that can monitor web-based passwords and notify him when a password has been changed so he can use that tool whenever a user calls him and he can give them their password right then. 

What tool would work best for Daryl’s needs? 

A. Password sniffer 

B. L0phtcrack 

C. John the Ripper 

D. WinHttrack 


Explanation: L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords. John the Ripper is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash types WinHttrack is a offline browser. A password sniffer would give Daryl the passwords when they are changed as it is a web based authentication over a simple form but still it would be more correct to give the users new passwords instead of keeping a copy of the passwords in clear text. 

Q176. What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common? 

A. All are hacking tools developed by the legion of doom 

B. All are tools that can be used not only by hackers, but also security personnel 

C. All are DDOS tools 

D. All are tools that are only effective against Windows 

E. All are tools that are only effective against Linux 


Explanation: All are DDOS tools. 

Q177. What is the goal of a Denial of Service Attack? 

A. Capture files from a remote computer. 

B. Render a network or computer incapable of providing normal service. 

C. Exploit a weakness in the TCP stack. 

D. Execute service at PS 1009. 

Answer: B

Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). 

Q178. What is the proper response for a NULL scan if the port is closed? 






F. No response 


Explanation: Closed ports respond to a NULL scan with a reset. 

Q179. What is the best means of prevention against viruses? 

A. Assign read only permission to all files on your system. 

B. Remove any external devices such as floppy and USB connectors. 

C. Install a rootkit detection tool. 

D. Install and update anti-virus scanner. 

Answer: D

Explanation: Although virus scanners only can find already known viruses this is still the best defense, together with users that are informed about risks with the internet. 

Q180. An SNMP scanner is a program that sends SNMP requests to multiple IP addresses, trying different community strings and waiting for a reply. Unfortunately SNMP servers don't respond to requests with invalid community strings and the underlying protocol does not reliably report closed ports. This means that 'no response' from the probed IP address can mean which of the following: 

(Select up to 3) 

A. Invalid community string 

B. S-AUTH protocol is running on the SNMP server 

C. Machine unreachable 

D. SNMP server not running 

Answer: ACD