Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCEHDomainsEnumeration and System Hacking
CEHFree — No Signup

Enumeration and System Hacking

Practice CEH Enumeration and System Hacking questions with full explanations on every answer.

189questions

Start practicing

Enumeration and System Hacking — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CEH Domains

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Practice Enumeration and System Hacking questions

10Q20Q30Q50Q

All CEH Enumeration and System Hacking questions (189)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?

2

During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BEST next step according to the CEH system hacking methodology (CHPSET)?

3

A security analyst observes a suspicious SUID binary /usr/bin/evil in a Linux system. Which type of vulnerability does this indicate, and what is the MOST likely objective of an attacker who placed it?

4

A penetration tester runs the following command against a target Linux server: smbclient -L 192.168.1.10 -N. The output lists several shares including 'Admin$', 'C$', and 'IPC$'. Which of the following is the MOST likely next step for further enumeration?

5

An attacker uses the VRFY command on an SMTP server to check the existence of email addresses. The server responds with '250 OK' for 'admin@company.com' and '550 No such user' for 'fake@company.com'. Which SMTP enumeration technique is being used?

6

A security analyst finds multiple failed login attempts in the system logs, followed by a successful login from an unusual IP address. The attacker then deleted the log entries for that session. Which step of the system hacking methodology (CHPSET) does the log deletion represent?

7

Which of the following tools is specifically designed to perform password cracking using rainbow tables?

8

During a penetration test, you successfully execute a privilege escalation attack by abusing a service running with SYSTEM privileges on a Windows machine. Which of the following techniques is MOST likely being used?

9

A penetration tester executes the command: snmpwalk -c public -v2c 192.168.1.50. Which of the following BEST describes the purpose of this command?

10

A security analyst is investigating a compromised Linux system. The /var/log/auth.log file appears to be truncated, and the timestamps on several binaries in /bin/ have been modified. Which of the following tools or techniques is the attacker MOST likely using to cover tracks?

11

During a penetration test, you discover an LDAP server on port 389 that allows anonymous binds. Which of the following enumeration techniques would provide the MOST comprehensive information about the directory structure?

12

An attacker has gained access to a Windows server and wants to crack the password hashes extracted from the SAM file. The attacker knows the passwords are complex but wants to maximize speed. Which tool is BEST suited for high-speed password cracking using GPU acceleration?

13

Which TWO of the following are valid SMTP enumeration commands that can be used to discover valid email addresses? (Select 2)

14

Which TWO of the following are common tools used for SMB enumeration? (Select 2)

15

Which THREE of the following are password cracking techniques that can be used with Hashcat? (Select 3)

16

A security analyst runs `nbtstat -A 192.168.1.10` and receives output showing a table with names like COMPUTER<00>, COMPUTER<20>, and DOMAIN<1B>. What type of information has the analyst gathered?

17

During a penetration test, you execute the command `enum4linux -a 192.168.1.20`. The output reveals that the 'backup' account has a blank password and belongs to the 'Domain Admins' group. Which phase of the CHPSET methodology does identifying this vulnerability belong to?

18

A forensic analyst examining a compromised Linux system finds the following entry in /var/log/auth.log: `Mar 15 10:23:45 server sshd[1234]: Accepted password for root from 10.0.0.5 port 54321 ssh2`. However, the analyst also notices that /var/log/auth.log has been truncated and the /etc/ssh/sshd_config file contains `LogLevel QUIET`. Which attack phase is most likely being obscured?

19

An attacker has gained initial access to a Windows system and wants to escalate privileges to SYSTEM. They find that the SeImpersonatePrivilege is enabled for their current user. Which tool or technique is specifically designed to leverage this privilege for elevation?

20

A system administrator wants to enumerate all users in an Active Directory domain. Which protocol and query technique should they use?

21

A penetration tester runs `snmpwalk -c public -v2c 192.168.1.50 1.3.6.1.2.1.1` and receives a list of system descriptions, uptime, and contact information. Which type of information is the tester primarily gathering?

22

During a penetration test, you run `smtp-user-enum -M VRFY -U users.txt -t 10.0.0.10` and receive responses '252 2.5.2 User <username>' for some users and '550 5.1.1 User unknown' for others. What does this indicate?

23

An attacker has obtained password hashes from a Windows system. They plan to use rainbow tables to crack them. Which tool would be most appropriate for generating and using rainbow tables?

24

Which of the following tools is specifically used to enumerate SMB shares and retrieve file listings from Windows systems?

25

A security administrator notices repeated failed login attempts from a single IP address targeting the SSH service. The attempts use common usernames (root, admin, test) and a list of passwords from a dictionary. What type of password attack is being conducted?

26

A Linux system has a script named 'backup' owned by root with the SUID bit set and world-executable permissions. A standard user executes the script and discovers it runs a command that reads /etc/shadow and writes output to a world-readable file. What is the most likely intended exploitation path?

27

An incident responder finds that the Windows Event Logs on a compromised server have been cleared, and the Security log shows gaps in coverage. Additionally, a rootkit is suspected. Which phase of the hacking methodology does the clearing of logs represent?

28

Which TWO tools can be used to enumerate SMB shares and users on a Windows target? (Choose two.)

29

Which THREE of the following are valid techniques in the system hacking methodology (CHPSET)? (Choose three.)

30

A penetration tester obtains password hashes from a Windows system. Which TWO methods would be most efficient for cracking NTLM hashes offline? (Choose two.)

31

A security analyst runs 'nbtstat -A 192.168.1.10' and receives a table showing the machine name and a list of names registered. Which service is being enumerated?

32

During a penetration test, you need to enumerate SMB shares on a Windows target. Which of the following tools is specifically designed for this purpose?

33

Which SNMP community string is typically used for read-only access by default on many devices?

34

An attacker attempts to enumerate valid email users by connecting to an SMTP server and issuing the following commands: EHLO example.com, VRFY root, VRFY admin, VRFY user1. Which SMTP enumeration technique is being used?

35

A tester runs 'snmpwalk -v2c -c public 192.168.1.1' and receives a large amount of system information. What does this command do?

36

During a penetration test, you gain access to a Linux server as a low-privileged user. Which of the following is an effective technique to escalate privileges by exploiting misconfigured file permissions?

37

An ethical hacker needs to crack a set of NTLM hashes obtained from a Windows system. Which tool would be MOST efficient for performing a dictionary attack with hybrid rules?

38

After successfully exploiting a system, an attacker uses the command 'wevtutil cl system' on a Windows target. What is the MOST likely purpose of this command?

39

Which phase of the system hacking methodology (CHPSET) involves hiding files from the operating system using techniques such as rootkits or steganography?

40

A penetration tester uses the following command to extract the contents of a SAM file: 'samdump2 SYSTEM /mnt/windows/Windows/System32/config/SAM'. What is the primary purpose of this action?

41

During a penetration test, you discover a Windows service running with SYSTEM privileges that has a weak file permission allowing the 'Everyone' group to modify its executable. Which privilege escalation technique is MOST directly applicable here?

42

An attacker uses 'rpcclient -U '' -N 192.168.1.10' followed by 'enumdomusers' and 'enumdomgroups'. What type of enumeration is being performed, and which protocol does it rely on?

43

Which TWO tools are commonly used for enumerating NFS exports on a target system? (Select 2 correct answers)

44

Which THREE of the following are valid techniques for covering tracks after compromising a system? (Select 3 correct answers)

45

Which TWO of the following are examples of hybrid password attacks? (Select 2 correct answers)

46

During a penetration test, you run the command `enum4linux -a 192.168.1.10` and receive output containing user account names, group memberships, and share listings. Which protocol is primarily being enumerated?

47

A security analyst suspects an attacker has used a rainbow table to crack password hashes from a compromised system. Which password cracking technique involves precomputed hash chains?

48

During a security assessment, you find a Linux binary with the SUID bit set and owned by root. You execute it and obtain a root shell. This is an example of which privilege escalation technique?

49

A penetration tester is attempting to enumerate user accounts on a mail server. They connect to port 25 and issue the commands `VRFY root` and `EXPN support`. Which protocol is being targeted?

50

After gaining access to a system, an attacker modifies log files to remove evidence of their activities. This action is part of which phase of the system hacking methodology?

51

Which tool is specifically designed to crack Windows LM and NTLM password hashes using rainbow tables?

52

A security analyst runs `snmpwalk -v2c -c public 192.168.1.1` and receives extensive output about the device's configuration. Which of the following is the MOST effective countermeasure against this enumeration?

53

During a penetration test, you need to enumerate all users and groups from a Windows domain controller. Which tool is BEST suited for this task?

54

An attacker uses a tool that sends crafted RCPT TO commands to an SMTP server to verify email addresses. Which SMTP enumeration technique is being used?

55

Which password cracking technique involves trying every possible combination of characters until the correct password is found?

56

A security analyst examines a compromised Linux server and finds a hidden directory `/usr/share/.syslog` containing a modified version of `sshd` and a log cleaner script. This is indicative of which technique used to erase tracks?

57

Which of the following commands would a tester use to enumerate NetBIOS names and their associated IP addresses on a local subnet?

58

Which TWO of the following are valid methods for enumerating SMB shares on a target system? (Select 2)

59

Which THREE of the following are common techniques used in the 'Cracking passwords' phase of system hacking? (Select 3)

60

Which TWO of the following are effective countermeasures against SNMP enumeration attacks? (Select 2)

61

A security analyst uses the nbtstat -a command against a target IP address. What information is the analyst MOST likely attempting to retrieve?

62

During a penetration test, an analyst runs the command 'snmpwalk -v2c -c public 192.168.1.10' and receives a large amount of output. Which protocol and community string are being used?

63

An attacker uses a tool that precomputes hash chains for common passwords to crack password hashes quickly. Which technique is the attacker employing?

64

After gaining initial access to a Windows server, a penetration tester wants to escalate privileges. The tester finds that the current user has the 'SeImpersonatePrivilege' enabled. Which attack technique could the tester use to abuse this privilege?

65

Which of the following tools is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

66

During a security assessment, an analyst runs 'enum4linux -a 10.0.0.5' and obtains a list of users, shares, and OS information. What protocol is enum4linux primarily using to gather this information?

67

A penetration tester discovers a Linux server with the SUID bit set on the 'find' command. How could this be exploited for privilege escalation?

68

An attacker uses SMTP commands to verify the existence of email accounts on a mail server. Which sequence of SMTP commands is used for this purpose?

69

A security analyst suspects an attacker has replaced system binaries with a rootkit to hide malicious processes. Which covering tracks technique is the attacker using?

70

Which of the following is the correct order of phases in the system hacking methodology known as CHPSET?

71

During an internal penetration test, you run 'smbclient -L //192.168.1.100 -N' and get an empty response. Which of the following is the MOST likely reason?

72

A penetration tester captures the following output from a command: 'smb: \> ls \\192.168.1.20\C$'. The tester is able to list the contents of the C$ share without providing credentials. Which of the following is the MOST likely reason for this access?

73

Which TWO of the following are valid enumeration techniques? (Select 2)

74

Which THREE of the following are password cracking techniques? (Select 3)

75

Which TWO of the following are examples of privilege escalation on Linux? (Select 2)

76

A security analyst runs the command: nbtstat -A 192.168.1.10. The output shows the table of names for the remote machine. Which of the following is the MOST likely purpose of this command?

77

During a penetration test, you receive a list of password hashes from a Windows server. Which of the following tools would be BEST suited to perform a dictionary attack against these hashes?

78

A penetration tester obtains a list of password hashes and uses RainbowCrack. Which statement BEST describes how RainbowCrack works?

79

After gaining initial access, an attacker attempts to escalate privileges by exploiting a misconfigured service running as SYSTEM. They find that the service's binary path is writable by the Everyone group. Which privilege escalation technique is the attacker MOST likely using?

80

A security engineer runs SNMPwalk on a network device and receives community strings as 'public' and 'private'. What is the PRIMARY concern?

81

Which of the following is the PRIMARY purpose of steganography in the context of covering tracks after a system compromise?

82

A penetration tester uses the SMTP commands VRFY and EXPN on a mail server. What is the tester MOST likely trying to accomplish?

83

During a penetration test, an analyst uses enum4linux with the -a flag against a target. Which of the following is the MOST comprehensive set of information that can be obtained?

84

An attacker has gained access to a system and wants to erase evidence of their activities. Which of the following actions is MOST effective for covering tracks on a Windows system?

85

A penetration tester finds that a Linux binary has the SUID bit set and is owned by root. Which of the following does this indicate?

86

Which tool is specifically designed to crack Windows LM and NTLM hashes using precomputed tables?

87

A security analyst observes repeated attempts to validate user accounts via SMTP using VRFY commands from an external IP. What is the BEST immediate action to mitigate this reconnaissance?

88

Which TWO techniques are commonly used for privilege escalation on Linux systems? (Select two.)

89

Which THREE of the following are components of the CHPSET system hacking methodology? (Select three.)

90

Which TWO tools are commonly used for password cracking against hashed passwords? (Select two.)

91

A security analyst runs the command `nbtstat -A 192.168.1.105` on a Windows machine. What information is the analyst most likely trying to gather?

92

During a penetration test, a tester uses the SMTP VRFY command against a mail server. The server responds with '252 Cannot VRFY user, but will accept message' for most usernames. Which action should the tester take to enumerate valid email addresses more effectively?

93

A penetration tester is attempting to escalate privileges on a Linux target. The tester runs `find / -perm -4000 -type f 2>/dev/null` and discovers that `/usr/bin/pkexec` has the SUID bit set. The target runs Ubuntu 20.04 with default configurations. Which of the following is the MOST likely next step?

94

An analyst observes repeated failed login attempts to a Windows server from an internal IP, followed by a successful login using the account 'admin' from the same IP. The analyst checks the Security log and finds Event ID 4624 with Logon Type 3. What type of attack is MOST likely occurring?

95

Which tool is specifically designed to crack Windows LM and NTLM hashes using rainbow tables?

96

During a system hacking phase, a tester successfully gains access to a Windows machine and wants to hide a malicious executable. Which of the following techniques is MOST effective for hiding files from standard directory listings without using third-party tools?

97

A security team discovers that an attacker has been using steganography to exfiltrate data from the corporate network. The attacker hid data inside image files and uploaded them to a public image hosting site. Which of the following is the BEST method to detect this type of exfiltration?

98

A penetration tester runs the following command against a Linux server: `smbclient -L //192.168.1.10 -N`. The output lists shares including 'IPC$', 'ADMIN$', and 'data'. Which of the following is the BEST next step to enumerate the 'data' share?

99

Which of the following commands is used to enumerate SNMP information from a network device using a specific community string?

100

A penetration tester has obtained a copy of the SAM database from a Windows system. The hashes extracted include both LM and NTLM hashes. Which of the following tools would be MOST efficient to crack the NTLM hashes using a dictionary attack with GPU acceleration?

101

After gaining initial access to a Linux server, a penetration tester wants to maintain persistence by creating a backdoor. The tester decides to replace a common system binary with a trojanized version. Which of the following techniques is MOST likely to evade detection by file integrity monitoring (FIM) systems?

102

A security analyst reviews the following command output from a Linux system: `uid=0(root) gid=0(root) groups=0(root)`. The analyst suspects a privilege escalation attack. Which of the following techniques could have been used to achieve root access from a standard user account?

103

Which TWO of the following are valid methods for enumerating users on a SMTP server? (Select 2)

104

Which THREE of the following are indicators that a system has been compromised by a rootkit? (Select 3)

105

Which TWO of the following are common techniques for covering tracks after compromising a system? (Select 2)

106

A security analyst runs the command `nbtstat -A 192.168.1.50` in a Windows environment. What information is the analyst attempting to retrieve?

107

During a penetration test, you successfully gain access to a web server with a low-privileged shell. You want to escalate privileges to root. Which of the following techniques is MOST likely to achieve privilege escalation on a misconfigured Linux system?

108

A security team has collected a hash file from a compromised Windows server that contains NTLM hashes. They want to crack the passwords as quickly as possible using a precomputed lookup table. Which tool and technique combination is BEST suited for this task?

109

A penetration tester is enumerating an SMTP server on port 25. They issue the command `VRFY root` and receive a 250 response, then `VRFY admin` also returns 250. What does this indicate about the SMTP server?

110

A penetration tester wants to enumerate users and groups from a Windows domain controller via LDAP without logging in. Which of the following tools is MOST appropriate for anonymous LDAP enumeration?

111

An attacker has gained access to a Linux server and wants to cover their tracks. They edit the `.bash_history` file, modify system logs in `/var/log`, and install a kernel module that hides their processes. Which two steps of the system hacking methodology (CHPSET) are being performed?

112

Which of the following tools is specifically designed to enumerate SMB shares and user information from Windows systems using the SMB protocol?

113

A penetration tester is performing SNMP enumeration against a network device and wants to retrieve the entire Management Information Base (MIB) tree. Which command should they use?

114

During a password cracking session, a pentester uses a wordlist combined with rules to generate variations of each word. This approach is called a hybrid attack. Which tool, when used with a rule file, can perform such an attack?

115

A forensic analyst discovers that an attacker used a rootkit to hide malicious processes and files on a compromised Linux system. The rootkit also intercepts system calls to `open()` and `stat()` to return clean results. Which of the following techniques is the rootkit using to cover its tracks?

116

Which of the following is a primary purpose of the enumeration phase in a penetration test?

117

A security analyst is investigating a potential SMB-based attack. They notice unusual traffic on port 445 from a host running `enum4linux`. Which of the following enumeration actions could `enum4linux` perform that would generate such traffic?

118

Which TWO of the following are valid enumeration techniques used to identify user accounts on a system? (Select 2)

119

A penetration tester is tasked with performing privilege escalation on a Windows system. Which THREE of the following methods are commonly used for Windows privilege escalation? (Select 3)

120

Which TWO of the following tools are capable of cracking password hashes offline? (Select 2)

121

A security analyst runs `nbtstat -A 192.168.1.50` from a Windows command prompt and receives output showing a table with names like 'WORKGROUP<00>', 'PC01<20>', and 'USER<03>'. What is the MOST likely purpose of this command?

122

Which tool is specifically designed to enumerate SMB shares and user accounts on a Windows target by leveraging the SMB protocol?

123

During an SMTP enumeration, a penetration tester connects to the mail server on port 25 and issues the commands 'VRFY root', 'EXPN admin', and 'RCPT TO:unknown@domain.com'. The server responds with '252' for VRFY, '250' for EXPN, and '550' for RCPT TO. What does this indicate?

124

An attacker gains access to a Linux web server as the 'www-data' user. They run `find / -perm -4000 -type f 2>/dev/null` and see that `/usr/bin/passwd` has the SUID bit set. Which privilege escalation technique is this command checking for?

125

Which of the following tools is used to crack Windows LAN Manager (LM) and NTLM password hashes using rainbow tables?

126

After compromising a system, an attacker wants to erase their tracks. They clear the Windows Event Logs using `wevtutil cl` commands. However, the logs are forwarded to a remote SIEM. Which covering tracks technique would be MOST effective to avoid detection?

127

A penetration tester discovers a service running on UDP port 161 with a default community string 'public'. They use `snmpwalk -v2c -c public 192.168.1.10` and retrieve extensive system information. Which enumeration technique is being performed?

128

In the context of system hacking methodology (CHPSET), which phase involves hiding malicious files from the operating system and security tools using techniques such as NTFS alternate data streams (ADS) or steganography?

129

Which password cracking method uses a precomputed table of hash chains to reverse password hashes quickly?

130

A security analyst notices that an attacker has gained SYSTEM privileges on a Windows server after compromising a service running as LOCAL SYSTEM. The attacker then uses `whoami /priv` and finds the SeTcbPrivilege (Act as part of the operating system) is enabled. Which privilege escalation technique might the attacker use next?

131

During a penetration test, the tester runs `ldapsearch -x -H ldap://192.168.1.20 -b 'dc=domain,dc=com' '(objectclass=*)'`. The output reveals user objects with 'userPassword' attributes in clear text. Which type of enumeration is being performed, and what is the security implication?

132

A penetration tester gains access to a Linux server and attempts to escalate privileges. They run `sudo -l` and see that the user can run `/usr/bin/vim` as root without a password. Which privilege escalation technique should the tester use?

133

Which TWO of the following are enumeration techniques used to gather information from Windows systems? (Select 2)

134

Which THREE of the following are methods for covering tracks after compromising a system? (Select 3)

135

Which TWO of the following are password cracking techniques? (Select 2)

136

A security analyst runs `nbtstat -A 192.168.1.10` and receives a response with the computer name, logged-in user, and domain. Which protocol is being queried?

137

A penetration tester wants to enumerate user accounts on a Linux system running SMTP service. Which commands are commonly used for this purpose?

138

During a penetration test, the tester runs `enum4linux -U 192.168.1.20` and obtains a list of usernames. What service is being enumerated, and what is the primary risk associated with this information disclosure?

139

An analyst observes the following SNMP walk output on a network device: `SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.5.1 = STRING: "cisco"`. Which finding is most significant?

140

Which tool is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

141

During a penetration test, a tester gains a low-privilege shell on a Linux server. The command `sudo -l` reveals that the user can run `/usr/bin/find` as root. Which technique can the tester use to escalate privileges?

142

A security engineer notices repeated log entries showing a user account logging in at odd hours and then clearing event logs. The engineer suspects credential theft. Which phase of the CHPSET methodology involves erasing tracks?

143

A penetration tester uses `smbclient -L //192.168.1.30 -N` and receives a list of shares including a hidden administrative share (C$) and a user share named "Backup". What is the most immediate security concern?

144

Which type of password cracking attack uses a precomputed table of hash chains to reverse hashes quickly?

145

An attacker modifies system logs to remove entries related to their activities. Which technique is being used to cover tracks?

146

A forensic analyst finds a system where the user's password hash was obtained and cracked offline. The attacker then used stolen credentials to log in and run `wevtutil cl system`. What is the purpose of this command?

147

In the context of privilege escalation on Windows, what is token impersonation, and which tool is commonly used to exploit it?

148

A penetration tester is enumerating services on a target Windows server. Which TWO tools are specifically designed for SMB enumeration? (Select two.)

149

During a penetration test, the tester successfully cracks a password hash using a hybrid attack. Which THREE characteristics describe a hybrid attack? (Select three.)

150

Which TWO of the following are common methods used to hide files on a compromised system? (Select two.)

151

A penetration tester runs `nbtstat -A 192.168.1.10` on a Windows machine. The output reveals the NetBIOS name table and shows a <20> entry. What does this indicate?

152

During an internal penetration test, an analyst uses `enum4linux -a 10.0.0.5` and retrieves a list of local users, including an account named 'sqlsvc'. The analyst then attempts to crack the password using a dictionary attack. Which password cracking tool would be most efficient for this task?

153

Which enumeration technique would be MOST effective for gathering usernames from an SMTP server that supports the VRFY command?

154

After gaining initial access to a Linux server, an attacker runs `find / -perm -4000 -o -perm -2000 2>/dev/null`. What is the primary objective of this command?

155

A security analyst observes repeated log entries showing `EXPN` commands from an external IP address to the company's mail server. What is the MOST likely objective of this activity?

156

Which tool is specifically designed to perform SNMP enumeration by walking the MIB tree using a known community string?

157

During a penetration test, an analyst obtains a dump of password hashes from a Windows server. The hashes are in LM:NT format. The analyst wants to crack the NT portion using a brute-force attack on 8-character alphanumeric passwords. Which tool is BEST suited for this task?

158

An attacker has compromised a Linux machine and wants to hide a rootkit by replacing system binaries with trojaned versions. Which technique is being used to maintain persistent access while evading detection?

159

A security analyst runs `ldapsearch -x -h 10.0.0.3 -b "dc=company,dc=com"` and receives a large number of entries including user objects. What type of information is being collected?

160

In the context of system hacking methodology (CHPSET), which phase involves removing evidence of the attacker's activities from logs and system files?

161

An attacker successfully escalates privileges on a Windows server using a known vulnerability in the Print Spooler service (PrintNightmare). Which type of privilege escalation does this represent?

162

Which of the following commands would a penetration tester use to enumerate SMB shares on a target Windows machine from a Linux system?

163

During a penetration test, an analyst detects that an SNMP agent on a network device is using the default community string 'public'. Which TWO actions can the analyst perform using this information? (Choose TWO.)

164

A security team is investigating a compromised Linux server. They suspect the attacker used privilege escalation via SUID binaries. Which THREE techniques should the team check as potential attack vectors? (Choose THREE.)

165

Which TWO of the following are common techniques used to cover tracks after compromising a system? (Choose TWO.)

166

A security analyst runs 'nbtstat -A 192.168.1.105' and sees a table with the computer name 'FILESERVER' and a logged-in user 'admin'. Which of the following BEST describes the purpose of this command?

167

During a penetration test, you gain initial access to a Linux server as a low-privileged user. The target runs a vulnerable SUID binary owned by root. Which of the following is the MOST effective method to escalate privileges?

168

A security analyst wants to enumerate all users from an SMTP server. Which of the following SMTP commands can be used for user enumeration?

169

During a network assessment, you use SNMPwalk against a target. Which of the following is a prerequisite for successful SNMP enumeration?

170

An analyst detects an SMB enumeration attempt in network logs. Which of the following tools would MOST likely generate such traffic?

171

A penetration tester wants to crack Windows NTLM hashes using rainbow tables. Which tool is specifically designed for this purpose?

172

Which of the following is a passive OS fingerprinting technique?

173

After compromising a Windows system, an attacker wants to cover tracks by deleting event logs. Which command would achieve this?

174

Which of the following is a method of hiding files on a system using steganography?

175

A security analyst runs the following command: 'smbclient -L //192.168.1.50 -N'. What is the purpose of this command?

176

Which TWO of the following are techniques used to escalate privileges on a Linux system?

177

Which THREE of the following are components of the CHPSET system hacking methodology?

178

Which TWO of the following tools are used for password cracking?

179

Which TWO of the following are enumeration techniques?

180

Which THREE of the following are methods attackers use to cover their tracks after compromising a system?

181

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

182

A security analyst wants to enumerate users and groups from a Windows domain controller using LDAP. Which of the following queries would return all objects of class 'user' from the domain 'example.com'?

183

During a penetration test, you enumerate a Linux NFS server and discover that the /export directory is mounted with 'no_root_squash' and 'world_readable' permissions. Which of the following actions would allow you to escalate to root access on the NFS client?

184

A security analyst captures the following SMTP conversation: 220 mail.example.com ESMTP; HELO client; 250 Hello; VRFY root; 250 Super-User; VRFY admin; 252 Cannot VRFY user; VRFY user1; 550 User unknown. Which attack is the analyst performing?

185

A penetration tester obtains a hash dump from a compromised Windows system and wants to crack LM and NTLM hashes quickly using precomputed tables. Which tool would be most efficient for this task?

186

A security analyst is investigating a compromised Linux system and finds the following: - A binary with SUID bit set owned by root that is not a standard system binary - The file /etc/ld.so.preload contains a reference to a shared object in /tmp - The system logs show gaps of several minutes during peak hours. Which TWO techniques has the attacker MOST likely used to maintain access and evade detection?

187

During a penetration test, a tester runs enum4linux against a Windows server and receives the following output: 'S-1-5-21-3623811015-3361044348-30300820-500' and 'S-1-5-21-3623811015-3361044348-30300820-501'. Which TWO conclusions can be drawn from this output?

188

A security auditor runs SNMPwalk against a network device using the default community string 'public' and obtains extensive system information. Which THREE of the following are effective countermeasures to prevent unauthorized SNMP enumeration?

189

A penetration tester successfully gains access to a Linux server as a low-privilege user. The goal is to escalate to root. Which THREE methods could the tester use to achieve privilege escalation?

Practice all 189 Enumeration and System Hacking questions

Other CEH exam domains

Footprinting, Reconnaissance and ScanningMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Frequently asked questions

What does the Enumeration and System Hacking domain cover on the CEH exam?

The Enumeration and System Hacking domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.

How many Enumeration and System Hacking questions are in the CEH question bank?

The Courseiva CEH question bank contains 189 questions in the Enumeration and System Hacking domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Enumeration and System Hacking for CEH?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Enumeration and System Hacking questions for CEH?

Yes — the session launcher on this page draws questions exclusively from the Enumeration and System Hacking domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CEH domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

PT0-002CS0-003SY0-701200-201