Last Updated on July 20, 2021 by InfraExam

312-49 : Computer Hacking Forensic Investigator : Part 09

  1. George is the network administrator of a large Internet company on the west coast. Per corporate policy, none of the employees in the company are allowed to use FTP or SFTP programs without obtaining approval from the IT department. Few managers are using SFTP program on their computers. Before talking to his boss, George wants to have some proof of their activity. George wants to use Ethereal to monitor network traffic, but only SFTP traffic to and from his network.

    What filter should George use in Ethereal?

    • src port 23 and dst port 23
    • udp port 22 and host 172.16.28.1/24
    • net port 22
    • src port 22 and dst port 22
  2. Your company uses Cisco routers exclusively throughout the network. After securing the routers to the best of your knowledge, an outside security firm is brought in to assess the network security.

    Although they found very few issues, they were able to enumerate the model, OS version, and capabilities for all your Cisco routers with very little effort. Which feature will you disable to eliminate the ability to enumerate this information on your Cisco routers?

    • Border Gateway Protocol
    • Cisco Discovery Protocol
    • Broadcast System Protocol
    • Simple Network Management Protocol
  3. In Linux, what is the smallest possible shellcode?

    • 24 bytes
    • 8 bytes
    • 800 bytes
    • 80 bytes
  4. Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test.

    The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

    • False negatives
    • False positives
    • True negatives
    • True positives
  5. You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?

    • Show outdated equipment so it can be replaced
    • List weak points on their network
    • Use attack as a launching point to penetrate deeper into the network
    • Demonstrate that no system can be protected against DoS attacks
  6. Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

    • Linux/Unix computers are easier to compromise
    • Linux/Unix computers are constantly talking
    • Windows computers are constantly talking
    • Windows computers will not respond to idle scans
  7. What operating system would respond to the following command?

    c:\> nmap -sW 10.10.145.65

    • Windows 95
    • FreeBSD
    • Windows XP
    • Mac OS X
  8. Paul’s company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed; it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security-auditing firm sends in a technician dressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behind them when they access the restricted areas. After entering the main office, he is able to get into the server room telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed?

    • Tailgating
    • Backtrapping
    • Man trap attack
    • Fuzzing
  9. On Linux/Unix based Web servers, what privilege should the daemon service be run under?

    • Guest
    • Root
    • You cannot determine what privilege runs the daemon service
    • Something other than root
  10. What will the following URL produce in an unpatched IIS Web Server?

    http://www.thetargetsite.com/scripts/..% co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:\

    • Directory listing of C: drive on the web server
    • Insert a Trojan horse into the C: drive of the web server
    • Execute a buffer flow in the C: drive of the web server
    • Directory listing of the C:\windows\system32 folder on the web server
  11. What is kept in the following directory? HKLM\SECURITY\Policy\Secrets

    • Cached password hashes for the past 20 users
    • Service account passwords in plain text
    • IAS account names and passwords
    • Local store PKI Kerberos certificates
  12. Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM files on a computer. Where should Harold navigate on the computer to find the file?

    • %systemroot%\system32\LSA
    • %systemroot%\system32\drivers\etc
    • %systemroot%\repair
    • %systemroot%\LSA
  13. You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

    • allinurl:”exchange/logon.asp”
    • intitle:”exchange server”
    • locate:”logon page”
    • outlook:”search”
  14. When setting up a wireless network with multiple access points, why is it important to set each access point on a different channel?

    • Multiple access points can be set up on the same channel without any issues
    • Avoid over-saturation of wireless signals
    • So that the access points will work on different frequencies
    • Avoid cross talk
  15. You are running through a series of tests on your network to check for any security vulnerabilities.

    After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

    • The firewall failed-bypass
    • The firewall failed-closed
    • The firewall ACL has been purged
    • The firewall failed-open
  16. You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company’s network. How would you answer?

    • Microsoft Methodology
    • Google Methodology
    • IBM Methodology
    • LPT Methodology
  17. Software firewalls work at which layer of the OSI model?

    • Application
    • Network
    • Transport
    • Data Link
  18. After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, stateful firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?

    • Stateful firewalls do not work with packet filtering firewalls
    • NAT does not work with stateful firewalls
    • IPSEC does not work with packet filtering firewalls
    • NAT does not work with IPSEC
  19. Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Jason uses the logs to try and prosecute the intruder for stealing sensitive corporate information. Why will this not be viable?

    • Entrapment
    • Enticement
    • Intruding into a honeypot is not illegal
    • Intruding into a DMZ is not illegal
  20. You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?

    • Poison the DNS records with false records
    • Enumerate MX and A records from DNS
    • Establish a remote connection to the Domain Controller
    • Enumerate domain user accounts and built-in groups