Practice CEH Scanning Networks and Enumeration questions with full explanations on every answer.
Start practicing
Scanning Networks and Enumeration — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?
2A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?
3During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?
4A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?
5You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?
6Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)
7Which THREE Nmap options are commonly used to evade firewall detection during a scan? (Choose three.)
8Refer to the exhibit. An Nmap scan shows that port 80 is 'filtered' while ports 22 and 443 are 'open'. What does the 'filtered' state indicate?
9You are a penetration tester assessing a client's internal network. The client has provided you with a non-administrative domain user account. The target network consists of 200 Windows workstations and 5 Windows servers (one domain controller, one file server, two application servers, and one database server). All systems are fully patched and have host-based firewalls enabled. The client wants you to identify vulnerabilities that could be exploited from the internal network. After initial reconnaissance, you discover that all servers have SMB (port 445) open only to the domain controller and the file server has SMB open to all workstations. You have gained a foothold on a workstation via a phishing attack. From this workstation, you can reach the file server on port 445. What is the most effective next step to enumerate potential vulnerabilities on the file server?
10A penetration tester discovers that an Nmap SYN scan against a target host returns no open ports, but a TCP connect scan reveals port 443 open. Which of the following is the most likely reason for this discrepancy?
11Which THREE of the following are valid methods for enumerating users on a Windows domain without prior credentials? (Select exactly 3.)
12Refer to the exhibit. A penetration tester runs the above Nmap scan. Which of the following statements is most accurate regarding the state of port 3389?
13You are conducting a security assessment for a company that hosts a web application on AWS. The application consists of a public-facing load balancer, an EC2 instance running a Linux web server, and an RDS MySQL database in a private subnet. The web server is configured to allow SSH access only from the company's internal IP range (203.0.113.0/24). During initial reconnaissance, you discover that the load balancer's security group allows inbound HTTP/HTTPS from anywhere. You attempt an Nmap SYN scan against the EC2 instance's public IP but receive no response (host appears down). Using a TCP connect scan, you find that ports 80 and 443 are open on the EC2 instance's public IP, but port 22 is filtered. You then launch an EC2 instance in the same region and run a scan from that internal AWS IP, and you find that port 22 is open on the target EC2 instance's private IP. Which of the following is the most likely reason for the initial scan failure and the filtered SSH port?
14Which TWO of the following Nmap scan types are typically used to evade firewalls and IDS systems by sending fragmented packets?
15You are a penetration tester for a financial institution. During the reconnaissance phase, you discover that the target network uses a firewall that only allows inbound TCP connections on ports 80, 443, and 8080. You need to identify live hosts and running services on the internal network (192.168.1.0/24) from an external perspective. To avoid detection, you must minimize the number of packets sent and ensure that your scanning technique does not complete the TCP three-way handshake. Additionally, you have limited time and need to scan all 65535 ports on the most promising target. Based on the firewall rules and the need for stealth, which of the following approaches should you take?
16Drag and drop the steps to conduct a penetration test using the CEH methodology into the correct order.
17Drag and drop the steps to perform a buffer overflow exploit in a controlled lab environment into the correct order.
18Match each security tool to its primary purpose.
19Match each cloud security concept to its description.
The Scanning Networks and Enumeration domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.
The Courseiva CEH question bank contains 19 questions in the Scanning Networks and Enumeration domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Scanning Networks and Enumeration domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included