312-50v13 EC-Council Exam Questions and Free Practice Test

Question 127

- (Topic 1)
A company??s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

A. Attempts by attackers to access the user and password information stored in the company??s SQL database.

B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user??s authentication credentials.

C. Attempts by attackers to access password stored on the user??s computer without the user??s knowledge.

D. Attempts by attackers to determine the user??s Web browser usage patterns, including when sites were visited and for how long.

Correct Answer:B

Question 128

- (Topic 2)
You have successfully logged on a Linux system. You want to now cover your trade Your login attempt may be logged on several files located in /var/log. Which file does NOT belongs to the list:

A. user.log

B. auth.fesg

C. wtmp

D. btmp

Correct Answer:C

Question 129

- (Topic 3)
Leverox Solutions hired Arnold, a security professional, for the threat intelligence process. Arnold collected information about specific threats against the organization. From this information, he retrieved contextual information about security events and incidents that helped him disclose potential risks and gain insight into attacker methodologies. He collected the information from sources such as humans, social media, and chat rooms as well as from events that resulted in cyberattacks. In this process, he also prepared a report that includes identified malicious activities, recommended courses of action, and warnings for emerging attacks. What is the type of threat intelligence collected by Arnold in the above scenario?

A. Strategic threat intelligence

B. Tactical threat intelligence

C. Operational threat intelligence

D. Technical threat intelligence

Correct Answer:C

Question 130

- (Topic 2)
Which utility will tell you in real time which ports are listening or in another state?

A. Netstat

B. TCPView

C. Nmap

D. Loki

Correct Answer:B

Question 131

- (Topic 2)
Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfigurations and outdated software versions. Which of the following tools is he most likely using?

A. Nikto

B. Nmap

C. Metasploit

D. Armitage

Correct Answer:B

Question 132

- (Topic 3)
A network security analyst, while conducting penetration testing, is aiming to identify a service account password using the Kerberos authentication protocol. They have a valid
user authentication ticket (TGT) and decided to carry out a Kerberoasting attack. In the scenario described, which of the following steps should the analyst take next?

A. Carry out a passive wire sniffing operation using Internet packet sniffers

B. Extract plaintext passwords, hashes, PIN codes, and Kerberos tickets using a tool like Mimikatz

C. Perform a PRobability INfinite Chained Elements (PRINCE) attack

D. Request a service ticket for the service principal name of the target service account

Correct Answer:D
A Kerberoasting attack is a technique that exploits the weak encryption of Kerberos service tickets to obtain the password hashes of service accounts that have a Service Principal Name (SPN) associated with them. The attacker can then crack the hashes offline and use the plaintext passwords to impersonate the service accounts and access network resources.
A Kerberoasting attack follows these steps1:
✑ The attacker impersonates a legitimate Active Directory user and authenticates to the Key Distribution Center (KDC) in the Active Directory environment. They then request a Ticket Granting Ticket (TGT) from the KDC to access network resources. The KDC complies because the attacker is impersonating a legitimate user.
✑ The attacker enumerates the service accounts that have an SPN using tools like GetUserSPNs.py or PowerView. They then request a service ticket for each SPN from the KDC using their TGT. The KDC grants the service tickets, which are encrypted with the password hashes of the service accounts.
✑ The attacker captures the service tickets and takes them offline. They then attempt to crack the password hashes using tools like Hashcat or John the Ripper. They can use various methods, such as brute force, dictionary, or hybrid attacks, to guess the passwords. Alternatively, they can use a PRINCE attack, which is a probabilistic password generation technique that combines common words, patterns, and transformations to generate likely passwords2.
✑ Once the attacker obtains the plaintext passwords of the service accounts, they can use them to authenticate as the service accounts and access the network resources that they are authorized to.
Therefore, the next step that the analyst should take after obtaining a valid TGT is to request a service ticket for the SPN of the target service account. This will allow them to capture the service ticket and extract the password hash of the service account. References:
✑ How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX
✑ PRINCE: PRobability INfinite Chained Elements

START 312-50v13 EXAM