312-50 Free Practice Test

- (Topic 23)
You have installed antivirus software and you want to be sure that your AV signatures are working correctly. You don't want to risk the deliberate introduction of a live virus to test the AV software. You would like to write a harmless test virus, which is based on the European Institute for Computer Antivirus Research format that can be detected by the AV software.
How should you proceed?

1. A. Type the following code in notepad and save the file as SAMPLEVIRUS.CO
2. B. Your antivirus program springs into action whenever you attempt to open, run or copy i
3. C. X5O!P%@AP[4\PZX54(P^)7CC)7}$SAMPLEVIRUS-STANDARD-ANTIVIRUS-TEST- FILE!$H+H*
4. D. Type the following code in notepad and save the file as AVFILE.CO
5. E. Your antivirus program springs into action whenever you attempt to open, run or copy it.X5O!P%@AP[4\PZX54(P^)7CC)7}$AVFILE-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
6. F. Type the following code in notepad and save the file as TESTAV.CO
7. G. Your antivirus program springs into action whenever you attempt to open, run or copy i
8. H. X5O!P%@AP[4\PZX54(P^)7CC)7}$TESTAV-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
9. I. Type the following code in notepad and save the file as EICAR.CO
10. J. Your antivirus program springs into action whenever you attempt to open, run or copy i
11. K. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Correct Answer: D
The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for Computer
Antivirus Research, to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and AV programmers
to test their software without having to use a real computer virus that could cause actual damage should the AV not respond correctly. EICAR likens
the use of a live virus to test AV software to setting a fire in a trashcan to test a fire alarm, and promotes the EICAR test file as a safe alternative.

- (Topic 8)
What happens when one experiences a ping of death?

1. A. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type” field in the ICMP header is set to 18 (Address Mask Reply).
2. B. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ‘ 8) + (IP data length) >65535.In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
3. C. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source equal to destination address.
4. D. This is when an the IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect).

Correct Answer: B
A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting.

- (Topic 16)
The Slammer Worm exploits a stack-based overflow that occurs in a DLL implementing the Resolution Service.
Which of the following Database Server was targeted by the slammer worm?

1. A. Oracle
2. B. MSSQL
3. C. MySQL
4. D. Sybase
5. E. DB2

Correct Answer: B
W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE 2000 that have not applied the patch released by Microsoft Security Bulletin MS02-039.

- (Topic 12)
Scanning for services is an easy job for Bob as there are so many tools available from the Internet. In order for him to check the vulnerability of company, he went through a few scanners that are currently available. Here are the scanners that he uses:
✑ Axent’s NetRecon (http://www.axent.com)
✑ SARA, by Advanced Research Organization (http://www-arc.com/sara)
✑ VLAD the Scanner, by Razor (http://razor.bindview.com/tools/)
However, there are many other alternative ways to make sure that the services that have been scanned will be more accurate and detailed for Bob.
What would be the best method to accurately identify the services running on a victim host?

1. A. Using Cheops-ng to identify the devices of company.
2. B. Using the manual method of telnet to each of the open ports of company.
3. C. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running for company.
4. D. Using the default port and OS to make a best guess of what services are running on each port for company.

Correct Answer: B
By running a telnet connection to the open ports you will receive banners that tells you what service is answering on that specific port.

- (Topic 23)
Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this?

1. A. Use HTTP Tunneling
2. B. Use Proxy Chaining
3. C. Use TOR Network
4. D. Use Reverse Chaining

Correct Answer: A