Eccouncil 312-50 Certified Ethical Hacker v12 Exam Practice Test

Answer : D

A thin Whois model is a type of data model that is used by some domain registrars for storing and looking up Whois information. In a thin Whois model, the registrar only stores the basic information about the domain, such as the domain name, the registrar name, the name servers, and the registration and expiration dates. The rest of the information, such as the contact details of the domain owner, the administrative contact, and the technical contact, is stored by the registry that manages the top-level domain (TLD) of the domain. For example, the registry for .com and .net domains is Verisign, and the registry for .org domains is Public Interest Registry.When a Whois lookup is performed on a domain that uses a thin Whois model, the registrar's Whois server only returns the basic information and refers the query to the registry's Whois server for the complete information1.

As a hacker, if you are unable to gather complete Whois information from the registrar for a particular set of data, it might be because the domain's registrar is using a thin Whois model and the registry's Whois server is not responding or providing the information. This could be due to various reasons, such as network issues, server errors, rate limits, privacy policies, or legal restrictions. Therefore, the probable data model being utilized by the domain's registrar for storing and looking up Whois information is a thin Whois model working correctly.

Differences Between Thin WHOIS vs Thick WHOIS -- OpenSRS Help & Support

Answer : D

A SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. The attacker has crafted an automated botnet to simultaneously send 's' SYN packets per second to the server. The server can handle 'f' SYN packets per second without any performance issues. If 's' exceeds 'f', the network infrastructure begins to show signs of overload. The system's response time increases exponentially (24k), where 'k' represents each additional SYN packet above the 'f' limit.

Considering 's=500' and different 'f' values, the scenario that is most likely to cause the server to experience overload and significantly increased response times is the one where 'f=420'. This is because 's' is greater than 'f' by 80 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The response time shoots up (2480 = 281,474,976,710,656 times the normal response time), indicating a system overload.

The other scenarios are less likely or less severe than the one where 'f=420'. Option A has 'f=510', which is greater than 's', so the system stays stable and the response time remains unaffected. Option B has 'f=495', which is less than 's' by 5 packets per second, so the response time drastically rises (245 = 32 times the normal response time), indicating a probable system overload, but not as extreme as option D. Option C has 'f=505', which is less than 's' by 5 packets per second, so the response time increases but not as drastically (245 = 32 times the normal response time), and the system might still function, albeit slowly.Reference:

SYN flood DDoS attack | Cloudflare

SYN flood - Wikipedia

What Is a SYN Flood Attack? | F5

What is a SYN flood attack and how to prevent it? | NETSCOUT

Answer : D

One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company's website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company's website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

Web Server Security- Beginner's Guide - Astra Security Blog

Top 10 Web Server Security Best Practices | Liquid Web

21 Server Security Tips & Best Practices To Secure Your Server - phoenixNAP

Answer : D

A Denial of Service (DoS) attack is a type of cyberattack that aims to make a machine or network resource unavailable to its intended users by flooding it with traffic or requests that consume its resources. A TCP SYN flood attack is a type of DoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. A UDP flood attack is a type of DoS attack that sends a large number of UDP packets to random ports on the target server, forcing it to check for the application listening at that port and reply with an ICMP packet. An ICMP flood attack is a type of DoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity.

The attacker's strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using 'r' packets per second. The server can handle 'h' packets per second before it starts showing signs of strain. If 'r' surpasses 'h', it overwhelms the server, causing it to become unresponsive. The attacker selects 'r' as a composite number and 'h' as a prime number, making the attack detection more challenging. This is because prime numbers are less predictable and more difficult to factorize than composite numbers, which may hinder the analysis of the attack pattern.

Considering 'r=2010' and different values for 'h', the scenario that would potentially cause the server to falter is the one where 'h=1987' (prime). This is because 'r' is greater than 'h' by 23 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The other scenarios would not cause the server to falter, as 'h' is either greater than or very close to 'r', which means the server can either manage or barely cope with the incoming traffic.Reference:

What is a denial-of-service (DoS) attack? | Cloudflare

Denial-of-Service (DoS) Attack: Examples and Common Targets - Investopedia

DDoS Attack Types: Glossary of Terms

What is a Denial of Service (DoS) Attack? | Webopedia

Answer : D

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity for a vulnerability. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.A vector string represents the values of all the metrics as a block of text1

The Base metrics measure the intrinsic characteristics of a vulnerability, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability.The Base score reflects the severity of a vulnerability assuming that there is no temporal information or context available1

The Temporal metrics measure the characteristics of a vulnerability that change over time, such as the exploit code maturity, the remediation level, and the report confidence.The Temporal score reflects the current state of a vulnerability and its likelihood of being exploited1

The Environmental metrics measure the characteristics of a vulnerability that depend on a specific implementation or environment, such as the security requirements, the modified base metrics, and the collateral damage potential.The Environmental score reflects the impact of a vulnerability on a particular organization or system1

In this scenario, the vulnerability has a Base score of 7, a Temporal score of 8, and an Environmental score of 5. This means that:

The vulnerability has a high severity based on its intrinsic characteristics, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability.A Base score of 7 corresponds to a high severity rating according to the CVSS v3.0 specification1

The vulnerability has an increasing likelihood of exploitability over time based on its current state, such as the exploit code maturity, the remediation level, and the report confidence.A Temporal score of 8 is higher than the Base score of 7, which indicates that the vulnerability is more likely to be exploited as time passes1

The vulnerability has a medium impact on the specific environment or implementation based on the security requirements, the modified base metrics, and the collateral damage potential.An Environmental score of 5 is lower than the Base score of 7, which indicates that the vulnerability is less impactful in the particular context of the organization or system1

Therefore, the statement that best describes this scenario is: The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment.

NVD - Vulnerability Metrics

Answer : C

A Cloud Access Security Broker (CASB) is a security policy enforcement point, either on-premises or in the cloud, that administers an organization's enterprise security policies when users attempt to access its cloud-based resources. A CASB can provide unified security management across multiple cloud platforms, as it can monitor cloud activity, enforce security policies, identify and respond to threats, and maintain visibility of all cloud resources. A CASB can also integrate with other security tools, such as data loss prevention (DLP), encryption, malware detection, and identity and access management (IAM), to enhance the security posture of the organization.

The other options are not as effective or feasible as using a CASB. Using a hardware-based firewall to secure all cloud resources may not be compatible with the dynamic and scalable nature of the cloud, as it may introduce latency, complexity, and cost. Implementing separate security management tools for each cloud platform may create inconsistency, inefficiency, and confusion, as each tool may have different features, interfaces, and configurations. Relying on the built-in security features of each cloud platform may not be sufficient or comprehensive, as each platform may have different levels of security, compliance, and functionality.Reference:

What Is a Cloud Access Security Broker (CASB)? | Microsoft

What Is a CASB? - Cloud Access Security Broker - Cisco

What is a Cloud Access Security Broker (CASB)?

Answer : D

A Kerberoasting attack is a technique that exploits the weak encryption of Kerberos service tickets to obtain the password hashes of service accounts that have a Service Principal Name (SPN) associated with them. The attacker can then crack the hashes offline and use the plaintext passwords to impersonate the service accounts and access network resources.

A Kerberoasting attack follows these steps1:

The attacker impersonates a legitimate Active Directory user and authenticates to the Key Distribution Center (KDC) in the Active Directory environment. They then request a Ticket Granting Ticket (TGT) from the KDC to access network resources. The KDC complies because the attacker is impersonating a legitimate user.

The attacker enumerates the service accounts that have an SPN using tools like GetUserSPNs.py or PowerView. They then request a service ticket for each SPN from the KDC using their TGT. The KDC grants the service tickets, which are encrypted with the password hashes of the service accounts.

The attacker captures the service tickets and takes them offline. They then attempt to crack the password hashes using tools like Hashcat or John the Ripper. They can use various methods, such as brute force, dictionary, or hybrid attacks, to guess the passwords.Alternatively, they can use a PRINCE attack, which is a probabilistic password generation technique that combines common words, patterns, and transformations to generate likely passwords2.

Once the attacker obtains the plaintext passwords of the service accounts, they can use them to authenticate as the service accounts and access the network resources that they are authorized to.

Therefore, the next step that the analyst should take after obtaining a valid TGT is to request a service ticket for the SPN of the target service account. This will allow them to capture the service ticket and extract the password hash of the service account.

How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX

PRINCE: PRobability INfinite Chained Elements