★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 312-50 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/312-50-dumps.html


Our specialists create the particular EC-Council EC-Council certification online training course and revise the getting ready materials with full devotion. Taking help in the Ucertifys EC-Council exam dumps will cause you to get certified very easily. The on-line EC-Council 312-50 study manual is superior than the prolonged books for the 312-50 exam preparation. Youll be able to trust the particular success on our EC-Council EC-Council exam question and answers. Just devote a little income and a small span of time about the EC-Council 312-50 exam preparation.

2021 Jan ceh exam 312-50 pdf:

Q121. Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? 

(Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dumo.) 

05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400 . . . 

05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400 

What is odd about this attack? (Choose the most appropriate statement) 

A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags. 

B. This is back orifice activity as the scan comes from port 31337. 

C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid. 

D. There packets were created by a tool; they were not created by a standard IP stack. 

Answer: B

Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of ‘elite’, meaning ‘elite hackers’. 


Q122. 1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms 2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms 3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net 

(68.100.0.1) 16.743 ms 16.207 ms 4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms 

20.938 ms 

5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms 6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms 7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms 8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 

19.512 ms 9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 

17.938 ms 10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms 11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 

19.133 ms 18.830 ms 12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 

20.111 ms 13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 

23.108 ms 14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms 

33.910 ms 15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 

49.466 ms 16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 

51.055 ms 17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 

53.647 ms 18 target-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 

56.855 ms 19 www.target.com <http://www.target.com/> (65.195.239.22) 52.191 ms 

52.571 ms 56.855 ms 20 www.target.com <http://www.target.com/> (65.195.239.22) 53.561 ms 

54.121 ms 58.333 ms 

You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. This probably indicates what? 

A. A host based IDS 

B. A Honeypot 

C. A stateful inspection firewall 

D. An application proxying firewall 

Answer: C


Q123. Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet. 

How can you protect/fix the problem of your application as shown above? 

A. Because the counter starts with 0, we would stop when the counter is less than 200 

B. Because the counter starts with 0, we would stop when the counter is more than 200 

C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it can’t hold any more data 

D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it can’t hold any more data 

Answer: AC

Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200. 


Q124. Peter has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the External Gateway interface. Further inspection reveals they are not responses from internal hosts request but simply responses coming from the Internet. What could be the likely cause of this? 

A. Someone Spoofed Peter’s IP Address while doing a land attack 

B. Someone Spoofed Peter’s IP Address while doing a DoS attack 

C. Someone Spoofed Peter’s IP Address while doing a smurf Attack 

D. Someone Spoofed Peter’s IP address while doing a fraggle attack 

Answer:

Explanation: An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target. 


Q125. Lori was performing an audit of her company's internal Sharepoint pages when she came across the following code: What is the purpose of this code? 

A. This JavaScript code will use a Web Bug to send information back to another server. 

B. This code snippet will send a message to a server at 192.154.124.55 whenever the "escape" key is pressed. 

C. This code will log all keystrokes. 

D. This bit of JavaScript code will place a specific image on every page of the RSS feed. 

Answer: C


Up to date intitle index of 312-50 pdf:

Q126. You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an executable file chess.exe. This Trojan when executed on the victim machine, scans the entire system (c:\) for data with the following text “Credit Card” and “password”. It then zips all the scanned files and sends an email to a predefined hotmail address. 

You want to make this Trojan persistent so that it survives computer reboots. Which registry entry will you add a key to make it persistent? 

A. HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

B. HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

C. HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

D. HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

Answer:

Explanation: HKEY_LOCAL_MACHINE would be the natural place for a registry entry that starts services when the MACHINE is rebooted. 

Topic 7, Sniffers 

248. Exhibit: 

ettercap –NCLzs --quiet 

What does the command in the exhibit do in “Ettercap”? 

A. This command will provide you the entire list of hosts in the LAN 

B. This command will check if someone is poisoning you and will report its IP. 

C. This command will detach from console and log all the collected passwords from the network to a file. 

D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs. 

Answer: C

Explanation: -N = NON interactive mode (without ncurses) 

-C = collect all users and passwords 

-L = if used with -C (collector) it creates a file with all the password sniffed in the session in the 

form "YYYYMMDD-collected-pass.log" 

-z = start in silent mode (no arp storm on start up) 

-s = IP BASED sniffing 

--quiet = "demonize" ettercap. Useful if you want to log all data in background. 


Q127. Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key? 

A. Use any ARP requests found in the capture 

B. Derek can use a session replay on the packets captured 

C. Derek can use KisMAC as it needs two USB devices to generate traffic 

D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic 

Answer: D

Explanation: By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key. 


Q128. You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. 

Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? 

A. 200-250 

B. 121-371 

C. 120-321 

D. 121-231 

E. 120-370 

Answer:

Explanation: Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371 (121+250). 


Q129. Which of the following is an automated vulnerability assessment tool. 

A. Whack a Mole 

B. Nmap 

C. Nessus 

D. Kismet 

E. Jill32 

Answer:

Explanation: Nessus is a vulnerability assessment tool. 


Q130. Jim was having no luck performing a penetration test on his company’s network. He was running the test from home and had downloaded every security scanner he could lay his hands on. Despite knowing the IP range of all of the systems and the exact network configuration, Jim was unable to get any useful results. Why is Jim having these problems? 

A. Security scanners can’t perform vulnerability linkage 

B. Security Scanners are not designed to do testing through a firewall 

C. Security Scanners are only as smart as their database and can’t find unpublished vulnerabilities 

D. All of the above 

Answer: D

Explanation: Security scanners are designed to find vulnerabilities but not to use them, also they will only find well known vulnerabilities that and no zero day exploits. Therefore you can’t use a security scanner for penetration testing but need a more powerful program.