Latest ECCouncil 312-50v8 Real Exam Download 751-760

Ensurepass

QUESTION 751

_________ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at.

 

A. Mandatory Access Control

B. Authorized Access Control

C. Role-based Access Control

D. Discretionary Access Control

 

Answer: A 

In computer security,mandatory access control (MAC) is a kind of access control,defined by the TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e.,clearance) of subjects to access information of such sensitivity."

 

 

QUESTION 752

Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error?

Select the best answer.

 

A. archive.org

B. There is no way to get the changed webpage unless you contact someone at the company

C. Usenet

D. Javascript would not be in their html so a service like usenet or archive wouldn’t help you

 

Answer: A 

Explanations: Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code.

 

 

QUESTION 753

Which of the following is the best way an attacker can passively learn about technologies used in an organization?

 

A. By sending web bugs to key personnel

B. By webcrawling the organization web site

C. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization

D. By performing a port scan on the organization’s web site

 

Answer: C 

Note: Sending web bugs,webcrawling their site and port scanning are considered "active" attacks,the question asks "passive"

 

 

QUESTION 754

Which of the following is most effective against passwords?

Select the Answer:

 

A. Dictionary Attack

B. BruteForce attack

C. Targeted Attack

D. Manual password Attack

 

Answer: B 

The most effective means of password attack is brute force,in a brute force attack the program will attempt to use every possible combination of characters. While this takes longer then a dictionary attack,which uses a text file of real words,it is always capable of breaking the password.

 

 

QUESTION 755

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.

He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below:

What can you infer from the exploit given?

 

A. It is a local exploit where the attacker logs in using username johna2k.

B. There are two attackers on the system Ƀ johna2k and haxedj00.

C. The attack is a remote exploit and the hacker downloads three files.

D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.

 

Answer: C 

 

 

QUESTION 756

Bill is attempting a series of SQL queries in order to map out the tables within the database that he is trying to exploit.

Choose the attack type from the choices given below.

 

A. Database Fingerprinting

B. Database Enumeration

C. SQL Fingerprinting

D. SQL Enumeration

 

Answer: A 

He is trying to create a view of the characteristics of the target database,he is taking itos fingerprints

 

 

QUESTION 757

Exhibit:

clip_image002

You are conducting pen-test against a companyos website using SQL Injection techniques. You enter panuthing or 1=1-p in the username filed of an authentication form. This is the output returned from the server.

What is the next step you should do?

 

A. Identify the user context of the web application by running_

http://www.example.com/order/include_rsa_asp?pressReleaseID=5

AND

USER_NAME() = ndboo

B. Identify the database and table name by running:

http://www.example.com/order/include_rsa.asp?pressReleaseID=5

AND

ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE

xtype=oUo),1))) > 109

C. Format the C: drive and delete the database by running:

http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND

xp_cmdshell nformat c: /q /yes n; drop database myDB; —

D. Reboot the web server by running:

http://www.example.com/order/include_rsa.asp?pressReleaseID=5

AND xp_cmdshell niisreset ╔ârebooto; —

 

Answer: A  

 

 

QUESTION 758

Your boss Tess King is attempting to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an attack?

 

A. SQL Input attack

B. SQL Piggybacking attack

C. SQL Select attack

D. SQL Injection attack

 

Answer: D 

This technique is known as SQL injection attack

 

 

QUESTION 759

When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer)

 

A. Cover his tracks by eradicating the log files and audit trails.

B. Gain access to the remote computer in order to conceal the venue of attacks.

C. Perform a reconnaissance of the remote target for identical of venue of attacks.

D. Always begin with a scan in order to quickly identify venue of attacks.

 

Answer: C 

A hacker always starts with a preparatory phase (Reconnaissance) where he seeks to gather as much information as possible about the target of evaluation prior to launching an attack. The reconnaissance can be either passive or active (or both).

 

 

QUESTION 760

A particular database threat utilizes a SQL injection technique to penetrate a target system. How would an attacker use this technique to compromise a database?

 

A. An attacker uses poorly designed input validation routines to create or alter SQL commands to gain access to unintended data or execute commands of the database

B. An attacker submits user input that executes an operating system command to compromise a target system

C. An attacker gains control of system to flood the target system with requests,preventing legitimate users from gaining access

D. An attacker utilizes an incorrect configuration that leads to access with higher-than-expected privilege of the database

 

Answer: A 

Using the poorly designed input validation to alter or steal data from a database is a SQL injection attack.

 

 

Download Latest ECCouncil 312-50v8 Real Free Tests , help you to pass exam 100%.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.