A system that a cybercriminal was suspected to have used for performing an anti-social activity
through the Tor browser. James reviewed the active network connections established using specific
ports via Tor.
Which of the following port numbers does Tor use for establishing a connection via Tor nodes?
B
Explanation:
Tor Network Functionality: The Tor network is designed to protect user anonymity by routing traffic
through a series of relays (nodes). This obfuscates the source of the traffic and makes it difficult to
trace.
SOCKS Proxy: Tor primarily functions as a SOCKS proxy to facilitate this anonymization. Applications
configured to use Tor's SOCKS proxy will have their traffic routed through the Tor network.
Default Ports:
9050: The standard SOCKS port used by standalone Tor installations.
9150: The typical SOCKS port for the Tor Browser Bundle, a self-contained package with Tor and a
pre-configured browser.
Bob. a network specialist in an organization, is attempting to identify malicious activities in the
network. In this process. Bob analyzed specific data that provided him a summary of a conversation
between two network devices, including a source IP and source port, a destination IP and destination
port, the duration of the conversation, and the information shared during the conversation.
Which of the following types of network-based evidence was collected by Bob in the above scenario?
C
Explanation:
In the scenario described, Bob collected data that summarizes a conversation between two network
devices. This type of data typically includes the source and destination IP addresses and ports, the
duration of the conversation, and the information exchanged during the session. This aligns with the
definition of session data, which is a type of network-based evidence that provides an overview of
communication sessions between devices without including the actual content of the data packets.
Reference: The EC-Council Certified Security Specialist (E|CSS) materials cover various types of
network-based evidence as part of the Network Defense, Ethical Hacking, and Digital Forensics
modules. Session data is specifically discussed in the context of network security monitoring and
analysis, where it is used to track and summarize network interactions.
Which of the following practices makes web applications vulnerable to SQL injection attacks?
C
Explanation:
SQL Injection (SQLi) is a prevalent vulnerability in web applications that occurs when an attacker can
insert or manipulate SQL queries using untrusted user input. This vulnerability is exploited by
constructing dynamic SQL statements that include user-provided data without proper validation or
sanitization. When applications concatenate user input values directly into SQL queries, they become
susceptible to SQLi, as attackers can craft input that alters the intended SQL command structure,
leading to unauthorized access or manipulation of the database.
To mitigate SQL injection risks, it’s crucial to avoid creating dynamic SQL queries by concatenating
input values. Instead, best practices such as using prepared statements with parameterized queries,
employing stored procedures, and implementing proper input validation and sanitization should be
followed. These measures help ensure that user input is treated as data rather than part of the SQL
code, thus preserving the integrity of the SQL statement and preventing injection attacks.
SQL Injection (SQLi): This common web application vulnerability arises when untrusted user input is
directly used to construct SQL queries. Attackers can manipulate the input to alter the structure of
the query, leading to data exposure, modification, or even deletion.
Dynamic SQL and Concatenation: Dynamically constructing SQL statements by concatenating user
input is highly dangerous. Consider this example:
SQL
SELECT * FROM users WHERE username = userInput ;
An attacker can provide input like: ' OR '1'='1'-- resulting in this query:
SQL
SELECT * FROM users WHERE username = '' OR '1'='1' -- ;
This query will always return true due to the OR condition and the comment (--) effectively bypassing
authentication.
Melanie, a professional hacker, is attempting to break into a target network through an application
server. In this process, she identified a logic flaw in the target web application that provided visibility
into the source code. She exploited this vulnerability to launch further attacks on the target web
application.
Which of the web application vulnerabilities was identified by Melanie in the above scenario?
B
Explanation:
Melanie discovered a logic flaw in the target web application that allowed her to view the source
code. This flaw indicates a security misconfiguration, which can lead to further attacks.
Security
misconfigurations occur when an application or system is not properly configured, leaving it
vulnerable to exploitation. Reference: EC-Council Certified Security Specialist (E|CSS) documents and
study guide12
.
Harry, a security professional, was hired to identify the details of an attack that was initiated on a
Windows system. In this process, Harry decided to check the logs of currently running applications
and the information related to previously uninstalled or removed applications for suspicious events.
Which of the following folders in a Windows system stores information on applications run on the
system?
D
Explanation:
The Prefetch folder in Windows is used to store information about applications that are run on the
system. This data helps in optimizing the loading times of applications. The correct path is
typically C:\Windows\Prefetch, not C:\Windows\Prefelch as listed in the options.
It’s important to
note that while the Prefetch folder does contain logs that can be useful for understanding application
behavior, it does not store logs for currently running applications or details about previously
uninstalled applications1
.
Bob. a security specialist at an organization, extracted the following IIS log from a Windows-based
server: “2019-12-12 06:11:41 192.168.0.10 GET /images/content/bg_body_l.jpg - 80 - 192.168.0.27
Mozilla/5.0
(Windows*NT»6.3:*WOW64)*AppleWebKit/537.36*(KHTML.*like»Cecko)*Chrome/48.0.2564.103»
Safari/537.36 http://www.movie5cope.com/css/style.c5s 200 0 0 365"
Identify the element in the above IIS log entry that indicates the request was fulfilled without error.
C
Explanation:
The element in the given IIS log entry that indicates the request was fulfilled without error is C.
2001
.
The HTTP status code 200 signifies a successful response, indicating that the server successfully
processed the client’s request1
.
Which of the following techniques is referred to as a messaging feature that originates from a server
and enables the delivery of data or a message from an application to a mobile device without any
explicit request from the user?
D
Explanation:
A push notification is a messaging feature that originates from a server and enables the delivery of
data or a message from an application to a mobile device without any explicit request from the user.
It allows applications to notify users of new messages, updates, or events even when the app is not
actively running on the device. Push notifications are commonly used in mobile apps to engage users
and provide timely information.
Reference: EC-Council Certified Security Specialist (E|CSS) documents and study guide1
.
Johnson is a professional hacker who targeted an organization’s customers and decided to crack their
system passwords. In this process, he found a list of valid customers, created a list of possible
passwords, ranked the passwords from high to low probability, and started keying in each password
in the target system until the correct password is discovered.
Identify the type of attack performed by Johnson in the above scenario.
C
Explanation:
The scenario described involves Johnson using a list of possible passwords, which he has ranked by
probability, and systematically entering them into the system to discover the correct one. This
method is known as a dictionary attack, where an attacker uses a prearranged list of likely
passwords—often derived from lists of common passwords or phrases—and tries them one by one.
This is different from a brute force attack, which would involve trying all possible combinations, and
a rainbow table attack, which uses precomputed hash values to crack encrypted
passwords.
Password guessing is a less systematic approach that doesn’t necessarily involve a ranked
list of passwords. Reference: The information provided aligns with the knowledge domains of the EC-
Council Certified Security Specialist (E|CSS) program, which includes understanding various types of
attacks and their methodologies as part of the ethical hacking and network defense curriculum1
.
The scenario described involves Johnson, who has a list of valid customers and a list of possible
passwords ranked by probability, which he uses to systematically attempt to log in to the target
system. This method is known as a dictionary attack. In a dictionary attack, the hacker uses a list of
likely passwords—often derived from lists of common passwords or phrases—and tries them one by
one. This differs from a brute force attack, which involves trying all possible combinations of
characters until the correct one is found.
A dictionary attack is more efficient than brute force because it relies on the likelihood that people
will use common words or phrases for passwords, making it a targeted approach based on
probability rather than random attempts. Therefore, the correct answer is C, as it best describes the
technique used by Johnson in the given scenario.
Below are the various steps involved in establishing a network connection using the shared key
authentication process.
l
.The AP sends a challenge text to the station.
.The station connects to the network.
.The station encrypts the challenge text using its configured 128-bit key and sends the
encrypted text to the AP.
.The station sends an authentication frame to the AP.
.The AP uses its configured WEP key to decrypt the encrypted text and compares it with the
original challenge text.
What is the correct sequence of steps involved in establishing a network connection using the shared
key authentication process?
C
Explanation:
The AP sends a challenge text to the station.
The Access Point (AP) initiates the authentication process by sending a challenge text to the station
(client device).
The station connects to the network.
The station (client device) associates with the wireless network by connecting to the AP.
The station encrypts the challenge text using its configured 128-bit key and sends the encrypted text
to the AP.
The station encrypts the challenge text using the shared secret key (configured on both the station
and the AP).
It then sends the encrypted challenge text back to the AP.
The station sends an authentication frame to the AP.
The station constructs an authentication frame containing the encrypted challenge text.
This frame is sent to the AP for verification.
The AP uses its configured WEP key to decrypt the encrypted text and compares it with the original
challenge text.
The AP decrypts the received encrypted challenge text using its configured WEP (Wired Equivalent
Privacy) key.
If the decrypted text matches the original challenge text, the station is authenticated successfully.
Therefore, the correct sequence is C. 4—>1—>3—>5—>21
. This order ensures that the challenge
text is exchanged securely and verified by both the station and the AP during the shared key
authentication process.
Reference:
EC-Council Certified Security Specialist (E|CSS) documents and study guide.
EC-Council Certified Security Specialist (E|CSS) course materials1234
An organization decided to strengthen the security of its network by studying and analyzing the
behavior of attackers. For this purpose. Steven, a security analyst, was instructed to deploy a device
to bait attackers. Steven selected a solution that appears to contain very useful information to lure
attackers and find their locationsand techniques.
Identify the type of device deployed by Steven in the above scenario.
D
Explanation:
Steven deployed a honeypot in the scenario. A honeypot is a simulation of an IT system or software
application that acts as bait to attract the attention of attackers. While it appears to be a legitimate
target, it is actually fake and carefully monitored by an IT security team.
The purpose of a honeypot
includes distraction (diverting attackers’ attention), threat intelligence (revealing attack methods),
and research/training for security professionals1
.
Reference:
EC-Council Certified Security Specialist (E|CSS) documents and study guide1
.
EC-Council Certified Security Specialist (E|CSS) course materials2
.