ECCouncil 312-50 Ethical Hacking and Countermeasures Version: 5.3 ECCouncil 312-50 Exam Topic 1, Introduction to Ethical Hacking QUESTION NO: What is the essential difference between an ‘Ethical Hacker’ and a ‘Cracker’? A The ethical hacker does not use the same techniques or skills as a cracker B The ethical hacker does it strictly for financial motives unlike a cracker C The ethical hacker has authorization from the owner of the target D The ethical hacker is just a cracker who is getting paid Answer: C Explanation: The ethical hacker uses the same techniques and skills as a cracker and the motive is to find the security breaches before a cracker does There is nothing that says that a cracker does not get paid for the work he does, a ethical hacker has the owners authorization and will get paid even if he does not succeed to penetrate the target QUESTION NO: What does the term “Ethical Hacking” mean? A Someone who is hacking for ethical reasons B Someone who is using his/her skills for ethical reasons C Someone who is using his/her skills for defensive purposes D Someone who is using his/her skills for offensive purposes Answer: C Explanation: Ethical hacking is only about defending your self or your employer against malicious persons by using the same techniques and skills QUESTION NO: Who is an Ethical Hacker? BrainDumps.com ECCouncil 312-50 Exam A A person who hacks for ethical reasons B A person who hacks for an ethical cause C A person who hacks for defensive purposes D A person who hacks for offensive purposes Answer: C Explanation: The Ethical hacker is a security professional who applies his hacking skills for defensive purposes QUESTION NO: What is "Hacktivism"? A Hacking for a cause B Hacking ruthlessly C An association which groups activists D None of the above Answer: A Explanation: The term was coined by author/critic Jason Logan King Sack in an article about media artist Shu Lea Cheang Acts of hacktivism are carried out in the belief that proper use of code will have leveraged effects similar to regular activism or civil disobedience QUESTION NO: Where should a security tester be looking for information that could be used by an attacker against an organization? (Select all that apply) A CHAT rooms B WHOIS database C News groups D Web sites BrainDumps.com ECCouncil 312-50 Exam E Search engines F Organization’s own web site Answer: A,B,C,D,E,F Explanation: A Security tester should search for information everywhere that he/she can access You never know where you find that small piece of information that could penetrate a strong defense QUESTION NO: What are the two basic types of attacks?(Choose two A DoS B Passive C Sniffing D Active E Cracking Answer: B,D Explanation: Passive and active attacks are the two basic types of attacks QUESTION NO: The United Kingdom (UK) he passed a law that makes hacking into an unauthorized network a felony The law states: Section1 of the Act refers to unauthorized access to computer material This states that a person commits an offence if he causes a computer to perform any function with intent to secure unauthorized access to any program or data held in any computer For a successful conviction under this part of the Act, the prosecution must prove that the access secured BrainDumps.com ECCouncil 312-50 Exam is unauthorized and that the suspect knew that this was the case This section is designed to deal with common-or-graden hacking Section of the deals with unauthorized access with intent to commit or facilitate the commission of further offences An offence is committed under Section if a Section offence has been committed and there is the intention of committing or facilitating a further offense (any offence which attacks a custodial sentence of more than five years, not necessarily one covered but the Act) Even if it is not possible to prove the intent to commit the further offence, the Section offence is still committed Section Offences cover unauthorized modification of computer material, which generally means the creation and distribution of viruses For conviction to succeed there must have been the intent to cause the modifications and knowledge that the modification had not been authorized What is the law called? A Computer Misuse Act 1990 B Computer incident Act 2000 C Cyber Crime Law Act 2003 D Cyber Space Crime Act 1995 Answer: A Explanation: Computer Misuse Act (1990) creates three criminal offences: QUESTION NO: Which of the following best describes Vulnerability? A The loss potential of a threat B An action or event that might prejudice security C An agent that could take advantage of a weakness D A weakness or error that can lead to compromise Answer: D Explanation: A vulnerability is a flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity BrainDumps.com ECCouncil 312-50 Exam QUESTION NO: Steven works as a security consultant and frequently performs penetration tests for Fortune 500 companies Steven runs external and internal tests and then creates reports to show the companies where their weak areas are Steven always signs a non-disclosure agreement before performing his tests What would Steven be considered? A Whitehat Hacker B BlackHat Hacker C Grayhat Hacker D Bluehat Hacker Answer: A Explanation: A white hat hacker, also rendered as ethical hacker, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems Realization that the Internet now represents human voices from around the world has made the defense of its integrity an important pastime for many A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them QUESTION NO: 10 Which of the following act in the united states specifically criminalizes the transmission of unsolicited commercial e-mail(SPAM) without an existing business relationship A 2004 CANSPAM Act B 2003 SPAM Preventing Act C 2005 US-SPAM 1030 Act D 1990 Computer Misuse Act Answer: A Explanation: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out BrainDumps.com ECCouncil 312-50 Exam penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them The law, which became effective January 1, 2004, covers email whose primary purpose is advertising or promoting a commercial product or service, including content on a Web site A "transactional or relationship message" – email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act QUESTION NO: 11 ABC.com is legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purpose This could lead to prosecution for the sender and for the company’s directors if, for example, outgoing email was found to contain material that was pornographic, racist or likely to incite someone to commit an act of terrorism You can always defend yourself by “ignorance of the law” clause A True B False Answer: B Explanation: Ignorantia juris non excusat or Ignorantia legis neminem excusat (Latin for "ignorance of the law does not excuse" or "ignorance of the law excuses no one") is a public policy holding that a person who is unaware of a law may not escape liability for violating that law merely because he or she was unaware of its content; that is, persons have presumed knowledge of the law Presumed knowledge of the law is the principle in jurisprudence that one is bound by a law even if one does not know of it It has also been defined as the "prohibition of ignorance of the law" Topic 2, Footprinting QUESTION NO: 12 BrainDumps.com ECCouncil 312-50 Exam You are footprinting Acme.com to gather competitive intelligence You visit the acme.com websire for contact information and telephone number numbers but not find it listed there You know that they had the entire staff directory listed on their website 12 months ago but now it is not there How would it be possible for you to retrieve information from the website that is outdated? A Visit google search engine and view the cached copy B Visit Archive.org site to retrieve the Internet archive of the acme website C Crawl the entire website and store them into your computer D Visit the company’s partners and customers website for this information Answer: B Explanation: The Internet Archive (IA) is a non-profit organization dedicated to maintaining an archive of Web and multimedia resources Located at the Presidio in San Francisco, California, this archive includes "snapshots of the World Wide Web" (archived copies of pages, taken at various points in time), software, movies, books, and audio recordings (including recordings of live concerts from bands that allow it) This site is found at www.archive.org QUESTION NO: 13 User which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud? A 18 U.S.C 1029 Possession of Access Devices B 18 U.S.C 1030 Fraud and related activity in connection with computers C 18 U.S.C 1343 Fraud by wire, radio or television D 18 U.S.C 1361 Injury to Government Property E 18 U.S.C 1362 Government communication systems F 18 U.S.C 1831 Economic Espionage Act G 18 U.S.C 1832 Trade Secrets Act Answer: B Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030 000.html BrainDumps.com ECCouncil 312-50 Exam QUESTION NO: 14 Which of the following activities will NOT be considered as passive footprinting? A Go through the rubbish to find out any information that might have been discarded B Search on financial site such as Yahoo Financial to identify assets C Scan the range of IP address found in the target DNS database D Perform multiples queries using a search engine Answer: C Explanation: Passive footprinting is a method in which the attacker never makes contact with the target systems Scanning the range of IP addresses found in the target DNS is considered making contact to the systems behind the IP addresses that is targeted by the scan QUESTION NO: 15 Which one of the following is defined as the process of distributing incorrect Internet Protocol (IP) addresses/names with the intent of diverting traffic? A Network aliasing B Domain Name Server (DNS) poisoning C Reverse Address Resolution Protocol (ARP) D Port scanning Answer: B Explanation: This reference is close to the one listed DNS poisoning is the correct answer This is how DNS DOS attack can occur If the actual DNS records are unattainable to the attacker for him to alter in this fashion, which they should be, the attacker can insert this data into the cache of there server instead of replacing the actual records, which is referred to as cache BrainDumps.com ECCouncil 312-50 Exam poisoning QUESTION NO: 16 You are footprinting an organization to gather competitive intelligence You visit the company’s website for contact information and telephone numbers but not find it listed there You know that they had the entire staff directory listed on their website 12 months ago but not it is not there How would it be possible for you to retrieve information from the website that is outdated? A Visit google’s search engine and view the cached copy B Visit Archive.org web site to retrieve the Internet archive of the company’s website C Crawl the entire website and store them into your computer D Visit the company’s partners and customers website for this information Answer: B Explanation: Explanation: Archive.org mirrors websites and categorizes them by date and month depending on the crawl time Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl Download the website is incorrect because that's the same as what you see online Visiting customer partners websites is just bogus The answer is then Firmly, C, archive.org QUESTION NO: 17 A Company security System Administrator is reviewing the network system log files He notes the following: - Network log files are at MB at 12:00 noon - At 14:00 hours, the log files at MB What should he assume has happened and what should he about the situation? BrainDumps.com 10 ECCouncil 312-50 Exam Identify the correct statement related to the above Web Server installation? A Lack of proper security policy, procedures and maintenance B Bugs in server software, OS and web applications C Installing the server with default settings D Unpatched security flaws in the server software, OS and applications Answer: C Explanation: QUESTION NO: 740 If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response? A The zombie computer will respond with an IPID of 24334 B The zombie computer will respond with an IPID of 24333 C The zombie computer will not send a response D The zombie computer will respond with an IPID of 24335 Answer: C Explanation: BrainDumps.com 450 ECCouncil 312-50 Exam QUESTION NO: 741 Jacob is looking through a traffic log that was captured using Wireshark Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address What is Jacob seeing here? A Jacob is seeing a Smurf attack B Jacob is seeing a SYN flood C He is seeing a SYN/ACK attack D He has found evidence of an ACK flood Answer: B Explanation: QUESTION NO: 742 Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select answers) A HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run B HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run C HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run D HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Answer: A,D Explanation: BrainDumps.com 451 ECCouncil 312-50 Exam QUESTION NO: 743 Perimeter testing means determining exactly what your firewall blocks and what it allows To conduct a good test, you can spoof source IP addresses and source ports Which of the following command results in packets that will appear to originate from the system at 10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network A hping3 -T 10.8.8.8 -S netbios -c -p 80 B hping3 -Y 10.8.8.8 -S windows -c -p 80 C hping3 -O 10.8.8.8 -S server -c -p 80 D hping3 -a 10.8.8.8 -S springfield -c -p 80 Answer: D Explanation: QUESTION NO: 744 The GET method should never be used when sensitive data such as credit card is being sent to a CGI program This is because any GET command will appear in the URL, and will be logged by any servers For example, let's say that you've entered your credit card information into a form that uses the GET method The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234 The GET method appends the credit card number to the URL This means that anyone with access to a server log will be able to obtain this information How would you protect from this type of attack? A Never include sensitive information in a script B Use HTTPS SSLv3 to send the data instead of plain HTTPS C Replace the GET with POST method when sending data D Encrypt the data before you send using GET method Answer: C Explanation: QUESTION NO: 745 Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored BrainDumps.com 452 ECCouncil 312-50 Exam How will you defend against hardware keyloggers when using public computers and Internet Kiosks? (Select answers) A Alternate between typing the login credentials and typing characters somewhere else in the focus window B Type a wrong password first, later type the correct password on the login page defeating the keylogger recording C Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter D The next key typed replaces selected text portion E.g if the password is "secret", one could BrainDumps.com 453 ECCouncil 312-50 Exam type "s", then some dummy keys "asdfsd" Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd" E The next key typed replaces selected text portion E.g if the password is "secret", one could type "s", then some dummy keys "asdfsd" Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd" Answer: A,C,D,E QUESTION NO: 746 Lauren is performing a network audit for her entire company The entire network is comprised of around 500 computers Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts Why did this ping sweep only produce a few responses? A Only Windows systems will reply to this scan B A switched network will not respond to packets sent to the broadcast address C Only Linux and Unix-like (Non-Windows) systems will reply to this scan D Only servers will reply to this scan Answer: C Explanation: QUESTION NO: 747 Wayne is the senior security analyst for his company Wayne is examining some traffic logs on a server and came across some inconsistencies Wayne finds some IP packets from a computer purporting to be on the internal network The packets originate from 192.168.12.35 with a TTL of 15 The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21 What can Wayne infer from this traffic log? A The initial traffic from 192.168.12.35 was being spoofed B The traffic from 192.168.12.25 is from a Linux computer C The TTL of 21 means that the client computer is on wireless D The client computer at 192.168.12.35 is a zombie computer Answer: A Explanation: BrainDumps.com 454 ECCouncil 312-50 Exam QUESTION NO: 748 Here is the ASCII Sheet BrainDumps.com 455 ECCouncil 312-50 Exam You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique What is the correct syntax? A Option A B Option B C Option C D Option D Answer: A Explanation: QUESTION NO: 749 How you defend against ARP Poisoning attack? (Select answers) BrainDumps.com 456 ECCouncil 312-50 Exam A Enable DHCP Snooping Binding Table B Restrict ARP Duplicates C Enable Dynamic ARP Inspection D Enable MAC snooping Table Answer: A,C Explanation: QUESTION NO: 750 Neil is an IT security consultant working on contract for Davidson Avionics Neil has been hired to audit the network of Davidson Avionics He has been given permission to perform any tests necessary Neil has created a fake company ID badge and uniform Neil waits by one of the company's entrance doors and follows an employee into the office after they use their valid access card to gain entrance What type of social engineering attack has Neil employed here? A Neil has used a tailgating social engineering attack to gain access to the offices B He has used a piggybacking technique to gain unauthorized access C This type of social engineering attack is called man trapping D Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics Answer: A Explanation: QUESTION NO: 751 BrainDumps.com 457 ECCouncil 312-50 Exam Which of the following represent weak password? (Select answers) A Passwords that contain letters, special characters, and numbers Example: ap1$%##f@52 B Passwords that contain only numbers Example: 23698217 C Passwords that contain only special characters Example: &*#@!(%) D Passwords that contain letters and numbers Example: meerdfget123 E Passwords that contain only letters Example: QWERTYKLRTY F Passwords that contain only special characters and numbers Example: 123@$45 G Passwords that contain only letters and special characters Example: bob@&ba H Passwords that contain Uppercase/Lowercase from a dictionary list Example: OrAnGe Answer: E,H Explanation: QUESTION NO: 752 Harold just got home from working at Henderson LLC where he works as an IT technician He was able to get off early because they were not too busy When he walks into his home office, he notices his teenage daughter on the computer, apparently chatting with someone online As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer Harold is very concerned because he does not want his daughter to fall victim to online predators and the sort Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing Harold wants to use some kind of program that will track her activities online, and send Harold an email of her activity once a day so he can see what she has been up to What kind of software could Harold use to accomplish this? A Install hardware Keylogger on her computer B Install screen capturing Spyware on her computer C Enable Remote Desktop on her computer D Install VNC on her computer Answer: B Explanation: QUESTION NO: 753 Blane is a security analyst for a law firm One of the lawyers needs to send out an email to a client but he wants to know if the email is forwarded on to any other recipients The client is explicitly asked not to re-send the email since that would be a violation of the lawyer's and client's agreement for this particular case What can Blane use to accomplish this? BrainDumps.com 458 ECCouncil 312-50 Exam A He can use a split-DNS service to ensure the email is not forwarded on B A service such as HTTrack would accomplish this C Blane could use MetaGoofil tracking tool D Blane can use a service such as ReadNotify tracking tool Answer: D Explanation: QUESTION NO: 754 You want to perform advanced SQL Injection attack against a vulnerable website You are unable to perform command shell hacks on this server What must be enabled in SQL Server to launch these attacks? A System services B EXEC master access C xp_cmdshell D RDC Answer: C Explanation: QUESTION NO: 755 Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami Kevin and his girlfriend Katy recently broke up after a big fight Kevin believes that she was seeing another person Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company Kevin logs into his email account online and gets the following URL after successfully logged in: http://www.youremailhere.com/mail.asp?mailbox=Kevin&Smith=121%22 Kevin changes the URL to: http://www.youremailhere.com/mail.asp?mailbox=Katy&Sanchez=121%22 Kevin is trying to access her email account to see if he can find out any information What is Kevin attempting here to gain access to Katy's mailbox? A This type of attempt is called URL obfuscation when someone manually changes a URL to try and gain unauthorized access B By changing the mailbox's name in the URL, Kevin is attempting directory transversal C Kevin is trying to utilize query string manipulation to gain access to her email account D He is attempting a path-string attack to gain access to her mailbox Answer: C Explanation: BrainDumps.com 459 ECCouncil 312-50 Exam QUESTION NO: 756 Jeremy is web security consultant for Information Securitas Jeremy has just been hired to perform contract work for a large state agency in Michigan Jeremy's first task is to scan all the company's external websites Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website James types in the following statement in the username field: SELECT * from Users where username='admin' ?AND password='' AND email like '%@testers.com%' What will the SQL statement accomplish? A If the page is susceptible to SQL injection, it will look in the Users table for usernames of admin B This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com C This Select SQL statement will log James in if there are any users with NULL passwords D James will be able to see if there are any default user accounts in the SQL database Answer: A Explanation: QUESTION NO: 757 If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response? A 31400 B 31402 C The zombie will not send a response D 31401 Answer: D Explanation: QUESTION NO: 758 Trojan horse attacks pose one of the most serious threats to computer security The image below shows different ways a Trojan can get into a system Which are the easiest and most convincing ways to infect a computer? BrainDumps.com 460 ECCouncil 312-50 Exam A IRC (Internet Relay Chat) B Legitimate "shrink-wrapped" software packaged by a disgruntled employee C NetBIOS (File Sharing) D Downloading files, games and screensavers from Internet sites Answer: B Explanation: QUESTION NO: 759 Jake is a network administrator who needs to get reports from all the computer and network devices on his network Jake wants to use SNMP but is afraid that won't be secure since passwords and messages are in clear text How can Jake gather network information in a secure manner? A He can use SNMPv3 B Jake can use SNMPrev5 C He can use SecWMI D Jake can use SecSNMP Answer: A Explanation: QUESTION NO: 760 Which of the following Exclusive OR transforms bits is NOT correct? A xor = B xor = BrainDumps.com 461 ECCouncil 312-50 Exam C xor = D xor = Answer: C Explanation: QUESTION NO: 761 The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination How would you overcome the Firewall restriction on ICMP ECHO packets? BrainDumps.com 462 ECCouncil 312-50 Exam A Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters B Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters C Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters D Do not use traceroute command to determine the path packets take to reach the destination instead use the custom hacking tool JOHNTHETRACER and run with the command E \> JOHNTHETRACER www.eccouncil.org -F -evade Answer: A Explanation: QUESTION NO: 762 Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall From the following signature, what will Snort look for in the payload of the suspected packets? alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert A The payload of 485 is what this Snort signature will look for B Snort will look for 0d0a5b52504c5d3030320d0a in the payload C Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will be flagged D From this snort signature, packets with HOME_NET 27374 in the payload will be flagged Answer: B Explanation: QUESTION NO: 763 You are trying to package a RAT Trojan so that Anti-Virus software will not detect it Which of the listed technique will NOT be effective in evading Anti-Virus scanner? A Convert the Trojan.exe file extension to Trojan.txt disguising as text file B Break the Trojan into multiple smaller files and zip the individual pieces C Change the content of the Trojan using hex editor and modify the checksum D Encrypt the Trojan using multiple hashing algorithms like MD5 and SHA-1 BrainDumps.com 463 ECCouncil 312-50 Exam Answer: A Explanation: QUESTION NO: 764 What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = 'someone@somewhere.com'; DROP TABLE members; ' A This code will insert the someone@somewhere.com email address into the members table B This command will delete the entire members table C It retrieves the password for the first user in the members table D This command will not produce anything since the syntax is incorrect Answer: B Explanation: QUESTION NO: 765 What type of port scan is represented here A Stealth Scan B Full Scan C XMAS Scan D FIN Scan Answer: A Explanation: BrainDumps.com 464 [...]... Summary [ 192 .168.0.8] [ 192 .168.0.10] TCP: D=80 S= 493 89 SYN SEQ=3362 197 786 LEN=0 WIN=5840 [ 192 .168.0.10] [ 192 .168.0.8] TCP: D= 493 89 S=80 SYN ACK=3362 197 787 SEQ=58 695 210 LEN=0 WIN=65535 [ 192 .168.0.8] [ 192 .168.0.10] TCP: D=80 S= 493 89 ACK=58 695 211 WIN