Question No. 1

You are an ethical hacker contracted to conduct a security audit for a company. During the audit, you discover that the company's wireless network is using WEP encryption. You understand the vulnerabilities associated with WEP and plan to recommend a more secure encryption method. Which of the following would you recommend as a Suitable replacement to enhance the security of the company's wireless network?

AMAC address filtering

BWPA2-PSK with AES encryption

COpen System authentication

DSSID broadcast disabling

Show Answer

Correct Answer: B

WEP encryption is an outdated and insecure method of protecting wireless networks from unauthorized access and eavesdropping.WEP uses a static key that can be easily cracked by various tools and techniques, such as capturing the initialization vectors, brute-forcing the key, or exploiting the weak key scheduling algorithm1. Therefore, you should recommend a more secure encryption method to enhance the security of the company's wireless network.

One of the most suitable replacements for WEP encryption is WPA2-PSK with AES encryption. WPA2 stands for Wi-Fi Protected Access 2, which is a security standard that improves upon the previous WPA standard. WPA2 uses a robust encryption algorithm called AES, which stands for Advanced Encryption Standard.AES is a block cipher that uses a 128-bit key and is considered to be very secure and resistant to attacks2.

WPA2-PSK stands for WPA2 Pre-Shared Key, which is a mode of WPA2 that uses a passphrase or a password to generate the encryption key. The passphrase or password must be entered by the users who want to connect to the wireless network. The key is then derived from the passphrase or password using a function called PBKDF2, which stands for Password-Based Key Derivation Function 2.PBKDF2 adds a salt and a number of iterations to the passphrase or password to make it harder to crack3.

WPA2-PSK with AES encryption offers several advantages over WEP encryption, such as:

It uses a dynamic key that changes with each session, instead of a static key that remains the same.

It uses a stronger encryption algorithm that is more difficult to break, instead of a weaker encryption algorithm that is more vulnerable to attacks.

It uses a longer key that provides more security, instead of a shorter key that provides less security.

It uses a more secure key derivation function that adds complexity and randomness, instead of a simple key generation function that is predictable and flawed.

Therefore, you should recommend WPA2-PSK with AES encryption as a suitable replacement to enhance the security of the company's wireless network.

Wireless Security - Encryption - Online Tutorials Library

WiFi Security: WEP, WPA, WPA2, WPA3 And Their Differences - NetSpot

WPA2-PSK (Wi-Fi Protected Access 2 Pre-Shared Key)

Question No. 2

A sophisticated attacker targets your web server with the intent to execute a Denial of Service (DoS) attack. His strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using 'r' packets per second. Your server, reinforced with advanced security measures, can handle 'h' packets per second before it starts showing signs of strain. If 'r' surpasses 'h', it overwhelms the server, causing it to become unresponsive. In a peculiar pattern, the attacker selects 'r' as a composite number and 'h' as a prime number, making the attack detection more challenging. Considering 'r=2010' and different values for 'h', which of the following scenarios would potentially cause the server to falter?

Ah=1999 (prime): Despite the attacker's packet flood, the server can handle these requests, remaining responsive

Bh=2003 (prime): The server can manage more packets than the attacker is sending, hence it stays operational

Ch=1993 (prime): Despite being less than 'r', the server's prime number capacity keeps it barely operational, but the risk of falling is imminent

Dh=1987 (prime): The attacker's packet rate exceeds the server's capacity, causing potential unresponsiveness

Show Answer

Correct Answer: D

A Denial of Service (DoS) attack is a type of cyberattack that aims to make a machine or network resource unavailable to its intended users by flooding it with traffic or requests that consume its resources. A TCP SYN flood attack is a type of DoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. A UDP flood attack is a type of DoS attack that sends a large number of UDP packets to random ports on the target server, forcing it to check for the application listening at that port and reply with an ICMP packet. An ICMP flood attack is a type of DoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity.

The attacker's strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using 'r' packets per second. The server can handle 'h' packets per second before it starts showing signs of strain. If 'r' surpasses 'h', it overwhelms the server, causing it to become unresponsive. The attacker selects 'r' as a composite number and 'h' as a prime number, making the attack detection more challenging. This is because prime numbers are less predictable and more difficult to factorize than composite numbers, which may hinder the analysis of the attack pattern.

Considering 'r=2010' and different values for 'h', the scenario that would potentially cause the server to falter is the one where 'h=1987' (prime). This is because 'r' is greater than 'h' by 23 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The other scenarios would not cause the server to falter, as 'h' is either greater than or very close to 'r', which means the server can either manage or barely cope with the incoming traffic.Reference:

What is a denial-of-service (DoS) attack? | Cloudflare

Denial-of-Service (DoS) Attack: Examples and Common Targets - Investopedia

DDoS Attack Types: Glossary of Terms

What is a Denial of Service (DoS) Attack? | Webopedia

Question No. 3

You have been hired as an intern at a start-up company. Your first task is to help set up a basic web server for the company's new website. The team leader has asked you to make sure the server is secure from common - threats. Based on your knowledge from studying for the CEH exam, which of the following actions should be

your priority to secure the web server?

AInstalling a web application firewall

Blimiting the number of concurrent connections to the server

CEncrypting the company's website with SSL/TLS

DRegularly updating and patching the server software

Show Answer

Correct Answer: D

One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company's website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company's website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

Web Server Security- Beginner's Guide - Astra Security Blog

Top 10 Web Server Security Best Practices | Liquid Web

21 Server Security Tips & Best Practices To Secure Your Server - phoenixNAP

Question No. 4

Your network infrastructure is under a SYN flood attack. The attacker has crafted an automated botnet to

simultaneously send 's' SYN packets per second to the server. You have put measures in place to manage 'f

SYN packets per second, and the system is designed to deal with this number without any performance issues.

If 's' exceeds 'f', the network infrastructure begins to show signs of overload. The system's response time

increases exponentially (24k), where 'k' represents each additional SYN packet above the ff limit. Now, considering 's=500' and different 'f values, in which scenario is the server most likely to experience overload and significantly increased response times?

Af=510: The server can handle 510 SYN packets per second, which is greater than what the attacker is sending. The system stays stable, and the response time remains unaffected

Bf=495: The server can handle 495 SYN packets per second. The response time drastically rises (245 = 32 times the normal), indicating a probable system overload

Cf=S05: The server can handle 505 SYN packets per second. In this case, the response time increases but not as drastically (245 = 32 times the normal), and the systern might still function, albeit slowly

Df=420: The server can handle 490 SYN packets per second. With 's' exceeding 'f by 10, the response time shoots up (2410 = 1024 times the usual response time), indicating a system overload

Show Answer

Correct Answer: D

A SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. The attacker has crafted an automated botnet to simultaneously send 's' SYN packets per second to the server. The server can handle 'f' SYN packets per second without any performance issues. If 's' exceeds 'f', the network infrastructure begins to show signs of overload. The system's response time increases exponentially (24k), where 'k' represents each additional SYN packet above the 'f' limit.

Considering 's=500' and different 'f' values, the scenario that is most likely to cause the server to experience overload and significantly increased response times is the one where 'f=420'. This is because 's' is greater than 'f' by 80 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The response time shoots up (2480 = 281,474,976,710,656 times the normal response time), indicating a system overload.

The other scenarios are less likely or less severe than the one where 'f=420'. Option A has 'f=510', which is greater than 's', so the system stays stable and the response time remains unaffected. Option B has 'f=495', which is less than 's' by 5 packets per second, so the response time drastically rises (245 = 32 times the normal response time), indicating a probable system overload, but not as extreme as option D. Option C has 'f=505', which is less than 's' by 5 packets per second, so the response time increases but not as drastically (245 = 32 times the normal response time), and the system might still function, albeit slowly.Reference:

SYN flood DDoS attack | Cloudflare

SYN flood - Wikipedia

What Is a SYN Flood Attack? | F5

What is a SYN flood attack and how to prevent it? | NETSCOUT

Question No. 5

A certified ethical hacker is conducting a Whois footprinting activity on a specific domain. The individual is leveraging various tools such as Batch IP Converter and Whols Analyzer Pro to retrieve vital details but is unable to gather complete Whois information from the registrar for a particular set of dat

a. As the hacker, what might be the probable data model being utilized by the domain's registrar for storing and looking up

Who is information?

AThick Whois model with a malfunctioning server

BThick Whois model working correctly

CThin Whois model with a malfunctioning server

DThin Whois model working correctly

Show Answer

Correct Answer: D

A thin Whois model is a type of data model that is used by some domain registrars for storing and looking up Whois information. In a thin Whois model, the registrar only stores the basic information about the domain, such as the domain name, the registrar name, the name servers, and the registration and expiration dates. The rest of the information, such as the contact details of the domain owner, the administrative contact, and the technical contact, is stored by the registry that manages the top-level domain (TLD) of the domain. For example, the registry for .com and .net domains is Verisign, and the registry for .org domains is Public Interest Registry.When a Whois lookup is performed on a domain that uses a thin Whois model, the registrar's Whois server only returns the basic information and refers the query to the registry's Whois server for the complete information1.

As a hacker, if you are unable to gather complete Whois information from the registrar for a particular set of data, it might be because the domain's registrar is using a thin Whois model and the registry's Whois server is not responding or providing the information. This could be due to various reasons, such as network issues, server errors, rate limits, privacy policies, or legal restrictions. Therefore, the probable data model being utilized by the domain's registrar for storing and looking up Whois information is a thin Whois model working correctly.

Differences Between Thin WHOIS vs Thick WHOIS -- OpenSRS Help & Support

Eccouncil 312-50 Exam Actual Questions

The questions for 312-50 were last updated on Sep 30, 2024.

Unlock All Questions for Eccouncil 312-50 Exam