Practice CEH Enumeration and System Hacking questions with full explanations on every answer.
Start practicing
Enumeration and System Hacking — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?
2During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BEST next step according to the CEH system hacking methodology (CHPSET)?
3A security analyst observes a suspicious SUID binary /usr/bin/evil in a Linux system. Which type of vulnerability does this indicate, and what is the MOST likely objective of an attacker who placed it?
4A penetration tester runs the following command against a target Linux server: smbclient -L 192.168.1.10 -N. The output lists several shares including 'Admin$', 'C$', and 'IPC$'. Which of the following is the MOST likely next step for further enumeration?
5An attacker uses the VRFY command on an SMTP server to check the existence of email addresses. The server responds with '250 OK' for 'admin@company.com' and '550 No such user' for 'fake@company.com'. Which SMTP enumeration technique is being used?
6A security analyst finds multiple failed login attempts in the system logs, followed by a successful login from an unusual IP address. The attacker then deleted the log entries for that session. Which step of the system hacking methodology (CHPSET) does the log deletion represent?
7Which of the following tools is specifically designed to perform password cracking using rainbow tables?
8During a penetration test, you successfully execute a privilege escalation attack by abusing a service running with SYSTEM privileges on a Windows machine. Which of the following techniques is MOST likely being used?
9A penetration tester executes the command: snmpwalk -c public -v2c 192.168.1.50. Which of the following BEST describes the purpose of this command?
10A security analyst is investigating a compromised Linux system. The /var/log/auth.log file appears to be truncated, and the timestamps on several binaries in /bin/ have been modified. Which of the following tools or techniques is the attacker MOST likely using to cover tracks?
11During a penetration test, you discover an LDAP server on port 389 that allows anonymous binds. Which of the following enumeration techniques would provide the MOST comprehensive information about the directory structure?
12An attacker has gained access to a Windows server and wants to crack the password hashes extracted from the SAM file. The attacker knows the passwords are complex but wants to maximize speed. Which tool is BEST suited for high-speed password cracking using GPU acceleration?
13Which TWO of the following are valid SMTP enumeration commands that can be used to discover valid email addresses? (Select 2)
14Which TWO of the following are common tools used for SMB enumeration? (Select 2)
15Which THREE of the following are password cracking techniques that can be used with Hashcat? (Select 3)
16A security analyst runs `nbtstat -A 192.168.1.10` and receives output showing a table with names like COMPUTER<00>, COMPUTER<20>, and DOMAIN<1B>. What type of information has the analyst gathered?
17During a penetration test, you execute the command `enum4linux -a 192.168.1.20`. The output reveals that the 'backup' account has a blank password and belongs to the 'Domain Admins' group. Which phase of the CHPSET methodology does identifying this vulnerability belong to?
18A forensic analyst examining a compromised Linux system finds the following entry in /var/log/auth.log: `Mar 15 10:23:45 server sshd[1234]: Accepted password for root from 10.0.0.5 port 54321 ssh2`. However, the analyst also notices that /var/log/auth.log has been truncated and the /etc/ssh/sshd_config file contains `LogLevel QUIET`. Which attack phase is most likely being obscured?
19An attacker has gained initial access to a Windows system and wants to escalate privileges to SYSTEM. They find that the SeImpersonatePrivilege is enabled for their current user. Which tool or technique is specifically designed to leverage this privilege for elevation?
20A system administrator wants to enumerate all users in an Active Directory domain. Which protocol and query technique should they use?
21A penetration tester runs `snmpwalk -c public -v2c 192.168.1.50 1.3.6.1.2.1.1` and receives a list of system descriptions, uptime, and contact information. Which type of information is the tester primarily gathering?
22During a penetration test, you run `smtp-user-enum -M VRFY -U users.txt -t 10.0.0.10` and receive responses '252 2.5.2 User <username>' for some users and '550 5.1.1 User unknown' for others. What does this indicate?
23An attacker has obtained password hashes from a Windows system. They plan to use rainbow tables to crack them. Which tool would be most appropriate for generating and using rainbow tables?
24Which of the following tools is specifically used to enumerate SMB shares and retrieve file listings from Windows systems?
25A security administrator notices repeated failed login attempts from a single IP address targeting the SSH service. The attempts use common usernames (root, admin, test) and a list of passwords from a dictionary. What type of password attack is being conducted?
26A Linux system has a script named 'backup' owned by root with the SUID bit set and world-executable permissions. A standard user executes the script and discovers it runs a command that reads /etc/shadow and writes output to a world-readable file. What is the most likely intended exploitation path?
27An incident responder finds that the Windows Event Logs on a compromised server have been cleared, and the Security log shows gaps in coverage. Additionally, a rootkit is suspected. Which phase of the hacking methodology does the clearing of logs represent?
28Which TWO tools can be used to enumerate SMB shares and users on a Windows target? (Choose two.)
29Which THREE of the following are valid techniques in the system hacking methodology (CHPSET)? (Choose three.)
30A penetration tester obtains password hashes from a Windows system. Which TWO methods would be most efficient for cracking NTLM hashes offline? (Choose two.)
31A security analyst runs 'nbtstat -A 192.168.1.10' and receives a table showing the machine name and a list of names registered. Which service is being enumerated?
32During a penetration test, you need to enumerate SMB shares on a Windows target. Which of the following tools is specifically designed for this purpose?
33Which SNMP community string is typically used for read-only access by default on many devices?
34An attacker attempts to enumerate valid email users by connecting to an SMTP server and issuing the following commands: EHLO example.com, VRFY root, VRFY admin, VRFY user1. Which SMTP enumeration technique is being used?
35A tester runs 'snmpwalk -v2c -c public 192.168.1.1' and receives a large amount of system information. What does this command do?
36During a penetration test, you gain access to a Linux server as a low-privileged user. Which of the following is an effective technique to escalate privileges by exploiting misconfigured file permissions?
37An ethical hacker needs to crack a set of NTLM hashes obtained from a Windows system. Which tool would be MOST efficient for performing a dictionary attack with hybrid rules?
38After successfully exploiting a system, an attacker uses the command 'wevtutil cl system' on a Windows target. What is the MOST likely purpose of this command?
39Which phase of the system hacking methodology (CHPSET) involves hiding files from the operating system using techniques such as rootkits or steganography?
40A penetration tester uses the following command to extract the contents of a SAM file: 'samdump2 SYSTEM /mnt/windows/Windows/System32/config/SAM'. What is the primary purpose of this action?
41During a penetration test, you discover a Windows service running with SYSTEM privileges that has a weak file permission allowing the 'Everyone' group to modify its executable. Which privilege escalation technique is MOST directly applicable here?
42An attacker uses 'rpcclient -U '' -N 192.168.1.10' followed by 'enumdomusers' and 'enumdomgroups'. What type of enumeration is being performed, and which protocol does it rely on?
43Which TWO tools are commonly used for enumerating NFS exports on a target system? (Select 2 correct answers)
44Which THREE of the following are valid techniques for covering tracks after compromising a system? (Select 3 correct answers)
45Which TWO of the following are examples of hybrid password attacks? (Select 2 correct answers)
46During a penetration test, you run the command `enum4linux -a 192.168.1.10` and receive output containing user account names, group memberships, and share listings. Which protocol is primarily being enumerated?
47A security analyst suspects an attacker has used a rainbow table to crack password hashes from a compromised system. Which password cracking technique involves precomputed hash chains?
48During a security assessment, you find a Linux binary with the SUID bit set and owned by root. You execute it and obtain a root shell. This is an example of which privilege escalation technique?
49A penetration tester is attempting to enumerate user accounts on a mail server. They connect to port 25 and issue the commands `VRFY root` and `EXPN support`. Which protocol is being targeted?
50After gaining access to a system, an attacker modifies log files to remove evidence of their activities. This action is part of which phase of the system hacking methodology?
51Which tool is specifically designed to crack Windows LM and NTLM password hashes using rainbow tables?
52A security analyst runs `snmpwalk -v2c -c public 192.168.1.1` and receives extensive output about the device's configuration. Which of the following is the MOST effective countermeasure against this enumeration?
53During a penetration test, you need to enumerate all users and groups from a Windows domain controller. Which tool is BEST suited for this task?
54An attacker uses a tool that sends crafted RCPT TO commands to an SMTP server to verify email addresses. Which SMTP enumeration technique is being used?
55Which password cracking technique involves trying every possible combination of characters until the correct password is found?
56A security analyst examines a compromised Linux server and finds a hidden directory `/usr/share/.syslog` containing a modified version of `sshd` and a log cleaner script. This is indicative of which technique used to erase tracks?
57Which of the following commands would a tester use to enumerate NetBIOS names and their associated IP addresses on a local subnet?
58Which TWO of the following are valid methods for enumerating SMB shares on a target system? (Select 2)
59Which THREE of the following are common techniques used in the 'Cracking passwords' phase of system hacking? (Select 3)
60Which TWO of the following are effective countermeasures against SNMP enumeration attacks? (Select 2)
61A security analyst uses the nbtstat -a command against a target IP address. What information is the analyst MOST likely attempting to retrieve?
62During a penetration test, an analyst runs the command 'snmpwalk -v2c -c public 192.168.1.10' and receives a large amount of output. Which protocol and community string are being used?
63An attacker uses a tool that precomputes hash chains for common passwords to crack password hashes quickly. Which technique is the attacker employing?
64After gaining initial access to a Windows server, a penetration tester wants to escalate privileges. The tester finds that the current user has the 'SeImpersonatePrivilege' enabled. Which attack technique could the tester use to abuse this privilege?
65Which of the following tools is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?
66During a security assessment, an analyst runs 'enum4linux -a 10.0.0.5' and obtains a list of users, shares, and OS information. What protocol is enum4linux primarily using to gather this information?
67A penetration tester discovers a Linux server with the SUID bit set on the 'find' command. How could this be exploited for privilege escalation?
68An attacker uses SMTP commands to verify the existence of email accounts on a mail server. Which sequence of SMTP commands is used for this purpose?
69A security analyst suspects an attacker has replaced system binaries with a rootkit to hide malicious processes. Which covering tracks technique is the attacker using?
70Which of the following is the correct order of phases in the system hacking methodology known as CHPSET?
71During an internal penetration test, you run 'smbclient -L //192.168.1.100 -N' and get an empty response. Which of the following is the MOST likely reason?
72A penetration tester captures the following output from a command: 'smb: \> ls \\192.168.1.20\C$'. The tester is able to list the contents of the C$ share without providing credentials. Which of the following is the MOST likely reason for this access?
73Which TWO of the following are valid enumeration techniques? (Select 2)
74Which THREE of the following are password cracking techniques? (Select 3)
75Which TWO of the following are examples of privilege escalation on Linux? (Select 2)
76A security analyst runs the command: nbtstat -A 192.168.1.10. The output shows the table of names for the remote machine. Which of the following is the MOST likely purpose of this command?
77During a penetration test, you receive a list of password hashes from a Windows server. Which of the following tools would be BEST suited to perform a dictionary attack against these hashes?
78A penetration tester obtains a list of password hashes and uses RainbowCrack. Which statement BEST describes how RainbowCrack works?
79After gaining initial access, an attacker attempts to escalate privileges by exploiting a misconfigured service running as SYSTEM. They find that the service's binary path is writable by the Everyone group. Which privilege escalation technique is the attacker MOST likely using?
80A security engineer runs SNMPwalk on a network device and receives community strings as 'public' and 'private'. What is the PRIMARY concern?
81Which of the following is the PRIMARY purpose of steganography in the context of covering tracks after a system compromise?
82A penetration tester uses the SMTP commands VRFY and EXPN on a mail server. What is the tester MOST likely trying to accomplish?
83During a penetration test, an analyst uses enum4linux with the -a flag against a target. Which of the following is the MOST comprehensive set of information that can be obtained?
84An attacker has gained access to a system and wants to erase evidence of their activities. Which of the following actions is MOST effective for covering tracks on a Windows system?
85A penetration tester finds that a Linux binary has the SUID bit set and is owned by root. Which of the following does this indicate?
86Which tool is specifically designed to crack Windows LM and NTLM hashes using precomputed tables?
87A security analyst observes repeated attempts to validate user accounts via SMTP using VRFY commands from an external IP. What is the BEST immediate action to mitigate this reconnaissance?
88Which TWO techniques are commonly used for privilege escalation on Linux systems? (Select two.)
89Which THREE of the following are components of the CHPSET system hacking methodology? (Select three.)
90Which TWO tools are commonly used for password cracking against hashed passwords? (Select two.)
91A security analyst runs the command `nbtstat -A 192.168.1.105` on a Windows machine. What information is the analyst most likely trying to gather?
92During a penetration test, a tester uses the SMTP VRFY command against a mail server. The server responds with '252 Cannot VRFY user, but will accept message' for most usernames. Which action should the tester take to enumerate valid email addresses more effectively?
93A penetration tester is attempting to escalate privileges on a Linux target. The tester runs `find / -perm -4000 -type f 2>/dev/null` and discovers that `/usr/bin/pkexec` has the SUID bit set. The target runs Ubuntu 20.04 with default configurations. Which of the following is the MOST likely next step?
94An analyst observes repeated failed login attempts to a Windows server from an internal IP, followed by a successful login using the account 'admin' from the same IP. The analyst checks the Security log and finds Event ID 4624 with Logon Type 3. What type of attack is MOST likely occurring?
95Which tool is specifically designed to crack Windows LM and NTLM hashes using rainbow tables?
96During a system hacking phase, a tester successfully gains access to a Windows machine and wants to hide a malicious executable. Which of the following techniques is MOST effective for hiding files from standard directory listings without using third-party tools?
97A security team discovers that an attacker has been using steganography to exfiltrate data from the corporate network. The attacker hid data inside image files and uploaded them to a public image hosting site. Which of the following is the BEST method to detect this type of exfiltration?
98A penetration tester runs the following command against a Linux server: `smbclient -L //192.168.1.10 -N`. The output lists shares including 'IPC$', 'ADMIN$', and 'data'. Which of the following is the BEST next step to enumerate the 'data' share?
99Which of the following commands is used to enumerate SNMP information from a network device using a specific community string?
100A penetration tester has obtained a copy of the SAM database from a Windows system. The hashes extracted include both LM and NTLM hashes. Which of the following tools would be MOST efficient to crack the NTLM hashes using a dictionary attack with GPU acceleration?
101After gaining initial access to a Linux server, a penetration tester wants to maintain persistence by creating a backdoor. The tester decides to replace a common system binary with a trojanized version. Which of the following techniques is MOST likely to evade detection by file integrity monitoring (FIM) systems?
102A security analyst reviews the following command output from a Linux system: `uid=0(root) gid=0(root) groups=0(root)`. The analyst suspects a privilege escalation attack. Which of the following techniques could have been used to achieve root access from a standard user account?
103Which TWO of the following are valid methods for enumerating users on a SMTP server? (Select 2)
104Which THREE of the following are indicators that a system has been compromised by a rootkit? (Select 3)
105Which TWO of the following are common techniques for covering tracks after compromising a system? (Select 2)
106A security analyst runs the command `nbtstat -A 192.168.1.50` in a Windows environment. What information is the analyst attempting to retrieve?
107During a penetration test, you successfully gain access to a web server with a low-privileged shell. You want to escalate privileges to root. Which of the following techniques is MOST likely to achieve privilege escalation on a misconfigured Linux system?
108A security team has collected a hash file from a compromised Windows server that contains NTLM hashes. They want to crack the passwords as quickly as possible using a precomputed lookup table. Which tool and technique combination is BEST suited for this task?
109A penetration tester is enumerating an SMTP server on port 25. They issue the command `VRFY root` and receive a 250 response, then `VRFY admin` also returns 250. What does this indicate about the SMTP server?
110A penetration tester wants to enumerate users and groups from a Windows domain controller via LDAP without logging in. Which of the following tools is MOST appropriate for anonymous LDAP enumeration?
111An attacker has gained access to a Linux server and wants to cover their tracks. They edit the `.bash_history` file, modify system logs in `/var/log`, and install a kernel module that hides their processes. Which two steps of the system hacking methodology (CHPSET) are being performed?
112Which of the following tools is specifically designed to enumerate SMB shares and user information from Windows systems using the SMB protocol?
113A penetration tester is performing SNMP enumeration against a network device and wants to retrieve the entire Management Information Base (MIB) tree. Which command should they use?
114During a password cracking session, a pentester uses a wordlist combined with rules to generate variations of each word. This approach is called a hybrid attack. Which tool, when used with a rule file, can perform such an attack?
115A forensic analyst discovers that an attacker used a rootkit to hide malicious processes and files on a compromised Linux system. The rootkit also intercepts system calls to `open()` and `stat()` to return clean results. Which of the following techniques is the rootkit using to cover its tracks?
116Which of the following is a primary purpose of the enumeration phase in a penetration test?
117A security analyst is investigating a potential SMB-based attack. They notice unusual traffic on port 445 from a host running `enum4linux`. Which of the following enumeration actions could `enum4linux` perform that would generate such traffic?
118Which TWO of the following are valid enumeration techniques used to identify user accounts on a system? (Select 2)
119A penetration tester is tasked with performing privilege escalation on a Windows system. Which THREE of the following methods are commonly used for Windows privilege escalation? (Select 3)
120Which TWO of the following tools are capable of cracking password hashes offline? (Select 2)
121A security analyst runs `nbtstat -A 192.168.1.50` from a Windows command prompt and receives output showing a table with names like 'WORKGROUP<00>', 'PC01<20>', and 'USER<03>'. What is the MOST likely purpose of this command?
122Which tool is specifically designed to enumerate SMB shares and user accounts on a Windows target by leveraging the SMB protocol?
123During an SMTP enumeration, a penetration tester connects to the mail server on port 25 and issues the commands 'VRFY root', 'EXPN admin', and 'RCPT TO:unknown@domain.com'. The server responds with '252' for VRFY, '250' for EXPN, and '550' for RCPT TO. What does this indicate?
124An attacker gains access to a Linux web server as the 'www-data' user. They run `find / -perm -4000 -type f 2>/dev/null` and see that `/usr/bin/passwd` has the SUID bit set. Which privilege escalation technique is this command checking for?
125Which of the following tools is used to crack Windows LAN Manager (LM) and NTLM password hashes using rainbow tables?
126After compromising a system, an attacker wants to erase their tracks. They clear the Windows Event Logs using `wevtutil cl` commands. However, the logs are forwarded to a remote SIEM. Which covering tracks technique would be MOST effective to avoid detection?
127A penetration tester discovers a service running on UDP port 161 with a default community string 'public'. They use `snmpwalk -v2c -c public 192.168.1.10` and retrieve extensive system information. Which enumeration technique is being performed?
128In the context of system hacking methodology (CHPSET), which phase involves hiding malicious files from the operating system and security tools using techniques such as NTFS alternate data streams (ADS) or steganography?
129Which password cracking method uses a precomputed table of hash chains to reverse password hashes quickly?
130A security analyst notices that an attacker has gained SYSTEM privileges on a Windows server after compromising a service running as LOCAL SYSTEM. The attacker then uses `whoami /priv` and finds the SeTcbPrivilege (Act as part of the operating system) is enabled. Which privilege escalation technique might the attacker use next?
131During a penetration test, the tester runs `ldapsearch -x -H ldap://192.168.1.20 -b 'dc=domain,dc=com' '(objectclass=*)'`. The output reveals user objects with 'userPassword' attributes in clear text. Which type of enumeration is being performed, and what is the security implication?
132A penetration tester gains access to a Linux server and attempts to escalate privileges. They run `sudo -l` and see that the user can run `/usr/bin/vim` as root without a password. Which privilege escalation technique should the tester use?
133Which TWO of the following are enumeration techniques used to gather information from Windows systems? (Select 2)
134Which THREE of the following are methods for covering tracks after compromising a system? (Select 3)
135Which TWO of the following are password cracking techniques? (Select 2)
136A security analyst runs `nbtstat -A 192.168.1.10` and receives a response with the computer name, logged-in user, and domain. Which protocol is being queried?
137A penetration tester wants to enumerate user accounts on a Linux system running SMTP service. Which commands are commonly used for this purpose?
138During a penetration test, the tester runs `enum4linux -U 192.168.1.20` and obtains a list of usernames. What service is being enumerated, and what is the primary risk associated with this information disclosure?
139An analyst observes the following SNMP walk output on a network device: `SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.5.1 = STRING: "cisco"`. Which finding is most significant?
140Which tool is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?
141During a penetration test, a tester gains a low-privilege shell on a Linux server. The command `sudo -l` reveals that the user can run `/usr/bin/find` as root. Which technique can the tester use to escalate privileges?
142A security engineer notices repeated log entries showing a user account logging in at odd hours and then clearing event logs. The engineer suspects credential theft. Which phase of the CHPSET methodology involves erasing tracks?
143A penetration tester uses `smbclient -L //192.168.1.30 -N` and receives a list of shares including a hidden administrative share (C$) and a user share named "Backup". What is the most immediate security concern?
144Which type of password cracking attack uses a precomputed table of hash chains to reverse hashes quickly?
145An attacker modifies system logs to remove entries related to their activities. Which technique is being used to cover tracks?
146A forensic analyst finds a system where the user's password hash was obtained and cracked offline. The attacker then used stolen credentials to log in and run `wevtutil cl system`. What is the purpose of this command?
147In the context of privilege escalation on Windows, what is token impersonation, and which tool is commonly used to exploit it?
148A penetration tester is enumerating services on a target Windows server. Which TWO tools are specifically designed for SMB enumeration? (Select two.)
149During a penetration test, the tester successfully cracks a password hash using a hybrid attack. Which THREE characteristics describe a hybrid attack? (Select three.)
150Which TWO of the following are common methods used to hide files on a compromised system? (Select two.)
151A penetration tester runs `nbtstat -A 192.168.1.10` on a Windows machine. The output reveals the NetBIOS name table and shows a <20> entry. What does this indicate?
152During an internal penetration test, an analyst uses `enum4linux -a 10.0.0.5` and retrieves a list of local users, including an account named 'sqlsvc'. The analyst then attempts to crack the password using a dictionary attack. Which password cracking tool would be most efficient for this task?
153Which enumeration technique would be MOST effective for gathering usernames from an SMTP server that supports the VRFY command?
154After gaining initial access to a Linux server, an attacker runs `find / -perm -4000 -o -perm -2000 2>/dev/null`. What is the primary objective of this command?
155A security analyst observes repeated log entries showing `EXPN` commands from an external IP address to the company's mail server. What is the MOST likely objective of this activity?
156Which tool is specifically designed to perform SNMP enumeration by walking the MIB tree using a known community string?
157During a penetration test, an analyst obtains a dump of password hashes from a Windows server. The hashes are in LM:NT format. The analyst wants to crack the NT portion using a brute-force attack on 8-character alphanumeric passwords. Which tool is BEST suited for this task?
158An attacker has compromised a Linux machine and wants to hide a rootkit by replacing system binaries with trojaned versions. Which technique is being used to maintain persistent access while evading detection?
159A security analyst runs `ldapsearch -x -h 10.0.0.3 -b "dc=company,dc=com"` and receives a large number of entries including user objects. What type of information is being collected?
160In the context of system hacking methodology (CHPSET), which phase involves removing evidence of the attacker's activities from logs and system files?
161An attacker successfully escalates privileges on a Windows server using a known vulnerability in the Print Spooler service (PrintNightmare). Which type of privilege escalation does this represent?
162Which of the following commands would a penetration tester use to enumerate SMB shares on a target Windows machine from a Linux system?
163During a penetration test, an analyst detects that an SNMP agent on a network device is using the default community string 'public'. Which TWO actions can the analyst perform using this information? (Choose TWO.)
164A security team is investigating a compromised Linux server. They suspect the attacker used privilege escalation via SUID binaries. Which THREE techniques should the team check as potential attack vectors? (Choose THREE.)
165Which TWO of the following are common techniques used to cover tracks after compromising a system? (Choose TWO.)
166A security analyst runs 'nbtstat -A 192.168.1.105' and sees a table with the computer name 'FILESERVER' and a logged-in user 'admin'. Which of the following BEST describes the purpose of this command?
167During a penetration test, you gain initial access to a Linux server as a low-privileged user. The target runs a vulnerable SUID binary owned by root. Which of the following is the MOST effective method to escalate privileges?
168A security analyst wants to enumerate all users from an SMTP server. Which of the following SMTP commands can be used for user enumeration?
169During a network assessment, you use SNMPwalk against a target. Which of the following is a prerequisite for successful SNMP enumeration?
170An analyst detects an SMB enumeration attempt in network logs. Which of the following tools would MOST likely generate such traffic?
171A penetration tester wants to crack Windows NTLM hashes using rainbow tables. Which tool is specifically designed for this purpose?
172Which of the following is a passive OS fingerprinting technique?
173After compromising a Windows system, an attacker wants to cover tracks by deleting event logs. Which command would achieve this?
174Which of the following is a method of hiding files on a system using steganography?
175A security analyst runs the following command: 'smbclient -L //192.168.1.50 -N'. What is the purpose of this command?
176Which TWO of the following are techniques used to escalate privileges on a Linux system?
177Which THREE of the following are components of the CHPSET system hacking methodology?
178Which TWO of the following tools are used for password cracking?
179Which TWO of the following are enumeration techniques?
180Which THREE of the following are methods attackers use to cover their tracks after compromising a system?
181A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?
182A security analyst wants to enumerate users and groups from a Windows domain controller using LDAP. Which of the following queries would return all objects of class 'user' from the domain 'example.com'?
183During a penetration test, you enumerate a Linux NFS server and discover that the /export directory is mounted with 'no_root_squash' and 'world_readable' permissions. Which of the following actions would allow you to escalate to root access on the NFS client?
184A security analyst captures the following SMTP conversation: 220 mail.example.com ESMTP; HELO client; 250 Hello; VRFY root; 250 Super-User; VRFY admin; 252 Cannot VRFY user; VRFY user1; 550 User unknown. Which attack is the analyst performing?
185A penetration tester obtains a hash dump from a compromised Windows system and wants to crack LM and NTLM hashes quickly using precomputed tables. Which tool would be most efficient for this task?
186A security analyst is investigating a compromised Linux system and finds the following: - A binary with SUID bit set owned by root that is not a standard system binary - The file /etc/ld.so.preload contains a reference to a shared object in /tmp - The system logs show gaps of several minutes during peak hours. Which TWO techniques has the attacker MOST likely used to maintain access and evade detection?
187During a penetration test, a tester runs enum4linux against a Windows server and receives the following output: 'S-1-5-21-3623811015-3361044348-30300820-500' and 'S-1-5-21-3623811015-3361044348-30300820-501'. Which TWO conclusions can be drawn from this output?
188A security auditor runs SNMPwalk against a network device using the default community string 'public' and obtains extensive system information. Which THREE of the following are effective countermeasures to prevent unauthorized SNMP enumeration?
189A penetration tester successfully gains access to a Linux server as a low-privilege user. The goal is to escalate to root. Which THREE methods could the tester use to achieve privilege escalation?
The Enumeration and System Hacking domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.
The Courseiva CEH question bank contains 189 questions in the Enumeration and System Hacking domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Enumeration and System Hacking domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included