EC-Council · Free Practice Questions · Last reviewed May 2026
78real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?
Perform a full TCP connect scan with UDP service detection on all ports
Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.
Perform an aggressive scan of all open ports and enumerate SMB shares
Perform a UDP scan on the four specified ports and identify running services
During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?
theHarvester
theHarvester is a passive OSINT tool that collects emails, subdomains, IPs, and names from public sources like Google, Bing, and LinkedIn.
Nmap
Netcat
Wireshark
A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?
The server is performing a DNS lookup to resolve the malicious IP address
The web application is sending log data to a SIEM system for analysis
A vulnerability discovered during the scan was exploited, establishing a reverse shell connection to the attacker
Port 4444 is commonly used for reverse shells. Outbound traffic to a malicious IP on this port indicates successful exploitation and a backdoor connection.
The vulnerability scan caused a false positive and triggered a legitimate backup process
During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?
The DNS server is using DNSSEC to secure zone transfers
The DNS server is vulnerable to zone transfer attacks, allowing unauthorized users to retrieve the entire zone file
A successful AXFR to an unauthenticated client indicates a misconfiguration that exposes internal network details.
The DNS server is properly configured and only allows zone transfers to authorized secondary servers
The target uses a split-DNS configuration with internal and external views
Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?
site:admin login
filetype:pdf admin login
intitle:"login" inurl:admin
inurl:"admin" inurl:"login"
inurl:admin finds URLs containing 'admin', and inurl:login finds URLs containing 'login'. Combined, they find login pages with 'admin' in the URL.
A security team wants to identify all live hosts on a large, Class B private IP network (172.16.0.0/16) as quickly as possible while minimizing network load. Which tool and technique should they use?
Masscan with --ping to send ICMP echo requests across the /16 range
Masscan can send ICMP echo requests at very high rates, making it ideal for fast host discovery on large networks.
Use theHarvester to query DNS records for the domain
Nmap with -sn (ping sweep) on all 65536 IPs
hping3 with --icmp on each IP sequentially
Want more Footprinting, Reconnaissance and Scanning practice?
Practice this domainA security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?
nslookup
netstat
nbtstat
nbtstat is the correct command for NetBIOS name resolution and enumeration.
net view
During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BEST next step according to the CEH system hacking methodology (CHPSET)?
Execute applications to extract data
Hide files to conceal tools and data
Erase event logs to avoid detection
Escalate privileges to gain higher-level access
Privilege escalation is the third step in CHPSET, following cracking passwords and hiding files, and is appropriate after initial low-privileged access.
A security analyst observes a suspicious SUID binary /usr/bin/evil in a Linux system. Which type of vulnerability does this indicate, and what is the MOST likely objective of an attacker who placed it?
Information disclosure; read sensitive files
Privilege escalation; gain root access
SUID binaries allow execution with elevated permissions; a root-owned SUID binary can be used to escalate to root.
Denial of service; crash the system
Buffer overflow; execute arbitrary code
A penetration tester runs the following command against a target Linux server: smbclient -L 192.168.1.10 -N. The output lists several shares including 'Admin$', 'C$', and 'IPC$'. Which of the following is the MOST likely next step for further enumeration?
Use enum4linux -a 192.168.1.10 to enumerate users and policies
enum4linux is a tool for SMB enumeration; -a runs all enumeration options, which is appropriate after discovering shares.
Attempt to crack the administrator password using a dictionary attack
Perform a port scan to check for open ports
Run snmpwalk to retrieve SNMP community strings
An attacker uses the VRFY command on an SMTP server to check the existence of email addresses. The server responds with '250 OK' for 'admin@company.com' and '550 No such user' for 'fake@company.com'. Which SMTP enumeration technique is being used?
EXPN enumeration
SMTP banner grabbing
RCPT TO enumeration
VRFY enumeration
The VRFY command verifies whether a mailbox exists, and the response codes confirm this technique.
A security analyst finds multiple failed login attempts in the system logs, followed by a successful login from an unusual IP address. The attacker then deleted the log entries for that session. Which step of the system hacking methodology (CHPSET) does the log deletion represent?
Spying
Executing applications
Cracking passwords
Erasing tracks
Deleting log entries is a classic example of erasing tracks to avoid detection.
Want more Enumeration and System Hacking practice?
Practice this domainA security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?
UDP flood
Ping of Death
Smurf attack
Correct. The large number of ICMP Echo Replies from multiple sources to a single target is characteristic of a Smurf attack.
ICMP flood
A user receives a phone call from someone claiming to be from IT support, asking for their password to troubleshoot an issue. Which social engineering technique is being used?
Phishing
Pretexting
Correct. The attacker uses a false pretext (IT support) to obtain sensitive information.
Baiting
Vishing
Which tool would a penetration tester MOST likely use to perform ARP poisoning and conduct a man-in-the-middle attack on a local network?
Wireshark
Nmap
tcpdump
Ettercap
Correct. Ettercap is specifically designed for MITM attacks using ARP poisoning.
An analyst observes the following output from Wireshark: a TCP packet with the SYN flag set, followed by a SYN-ACK, then an ACK, and then a RST. The sequence numbers show a pattern: initial seq=100, ack=300, then seq=300, ack=101. What is the MOST likely interpretation?
An attacker is performing TCP sequence prediction to hijack the session.
Correct. The sequence numbers show successful prediction, and the RST may be used to reset the connection after hijacking.
A normal TCP connection establishment followed by an immediate termination.
A man-in-the-middle attack using ARP spoofing.
A TCP SYN flood attack is in progress.
A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?
Upload to VirusTotal
Dynamic analysis in a sandbox
Static analysis using strings and PEiD
Correct. Static analysis can reveal suspicious strings, packed executables, or invalid signatures without execution.
Run the file on a production system to observe behavior
An organization is experiencing repeated DDoS attacks that consume all available bandwidth. Which mitigation technique is MOST effective for handling such volumetric attacks?
Blackholing all traffic to the target IP
Anycast network distribution
Rate limiting on the firewall
Scrubbing centers
Correct. Scrubbing centers are designed to filter out attack traffic and allow clean traffic through.
Want more Malware, Social Engineering and Network Attacks practice?
Practice this domainA security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?
Time-based SQL injection
Time-based SQL injection uses database delay functions (e.g., SLEEP()) to infer information based on response times.
Reflected XSS
Blind boolean-based SQL injection
CSRF
Which of the following tools is commonly used to automate the detection and exploitation of SQL injection vulnerabilities?
SQLMap
SQLMap is designed to automate SQL injection detection and exploitation.
Metasploit
Nmap
Burp Suite
A penetration tester intercepts the following request using Burp Suite: POST /change_password HTTP/1.1 Host: example.com Cookie: sessionid=abc123; SameSite=Lax Content-Type: application/x-www-form-urlencoded new_password=Hacker123 The tester successfully crafts a CSRF attack by embedding a hidden form in a malicious page. Which mitigation is most likely missing?
SameSite=Strict
HTTPOnly flag
Secure flag
CSRF token
A CSRF token would prevent the attack because the malicious site cannot guess the token.
A web application allows users to upload profile pictures. An attacker uploads a file named "profile.php" containing malicious PHP code. When the attacker visits the uploaded file's URL, the code executes. Which vulnerability is being exploited?
Directory traversal
Command injection
File upload vulnerability
The attacker uploaded a malicious PHP file that executes, indicating a file upload vulnerability.
Stored XSS
An analyst observes the following log entry on a web server: GET /../../etc/passwd HTTP/1.1 200. Which type of attack is indicated?
Directory traversal
The use of '../' to access files outside the web root is directory traversal.
SSRF
LFI
Command injection
During a penetration test, a tester uses the following payload in a search field: <script>alert(document.cookie)</script>. The payload is reflected in the response without sanitization. However, the tester notices that the attack only works when the payload is submitted via a POST request, not GET. Which type of XSS is this?
Stored XSS
Reflected XSS
The payload is reflected immediately, making it reflected XSS.
DOM-based XSS
Self-XSS
Want more Web Application and Injection Attacks practice?
Practice this domainA security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?
TCP connect scan
UDP scan
SYN scan
SYN scan sends SYN packets; lack of SYN-ACK indicates filtered/closed ports.
FIN scan
During a penetration test, an ethical hacker needs to evade an IDS that detects port scans based on the number of packets per second. Which technique would be most effective to avoid detection?
Use random source ports
Use a decoy scan
Slow down the scan rate
Reducing packets per second avoids triggering rate-based IDS thresholds.
Use fragmented packets
A company wants to test the security of its web application by simulating attacks from an external perspective. They have no prior knowledge of the internal network or application architecture. Which type of test should they perform?
Black-box test
Black-box test simulates an external attacker with no prior knowledge.
White-box test
Red team engagement
Gray-box test
Which TWO of the following are recognized phases of the Ethical Hacking process? (Select TWO.)
Maintaining Access
Maintaining Access is a phase after gaining access.
Scanning
Reconnaissance
Reconnaissance is the first phase of ethical hacking.
Hiding Evidence
Cracking
Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the port is reachable but no service is listening?
open
closed
Closed means reachable but no service listening.
filtered
unfiltered
You are an ethical hacker hired to assess the security of a mid-sized company's internal network. The company has three departments: Sales, Engineering, and HR, each on separate VLANs. The network uses a single firewall with default-deny rules, but inter-VLAN routing is allowed for specific ports (e.g., HR needs to access Sales database on TCP 1433). During reconnaissance, you discover that the Engineering VLAN has a web server running on port 80 that is accessible from all VLANs. You also find that the Sales VLAN has a file share (SMB) on port 445 that is accessible only from HR. The firewall logs show numerous failed SSH attempts from an external IP to the Engineering web server. Which action should you recommend as the most effective immediate step to reduce the attack surface?
Implement a password policy requiring complex passwords for all users.
Enable two-factor authentication on the web server.
Apply the latest security patches to the web server.
Restrict access to the Engineering web server to only the Engineering VLAN.
This immediately reduces the attack surface by limiting unnecessary access.
Want more Introduction to Ethical Hacking practice?
Practice this domainDuring a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?
A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.
Stateful firewalls track connection states; they may block unsolicited SYN but allow replies.
The web server is running on a non-standard port that you did not scan.
The server's TCP/IP stack is misconfigured and does not respond to SYN scans.
A web application firewall is blocking the SYN scan traffic.
A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?
TCP SYN scan using `nmap -sS`
ARP scan using `nmap -PR`
Ping sweep using `nmap -sn`
`-sn` disables port scan and sends only ICMP echo, TCP SYN to port 443, etc., minimizing traffic.
UDP scan using `nmap -sU`
During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?
Perform banner grabbing on port 22 to identify the SSH version.
SSH version information can reveal outdated versions with known exploits.
Perform SNMP enumeration to gather system information.
Attempt a DNS zone transfer from the server.
Enumerate NetBIOS names using `nbtstat`.
A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?
Conduct a full TCP port scan of the entire network using SYN scan.
Run a TCP SYN scan on port 22 only, with version detection enabled, across the target IP range.
Scanning only the relevant port with version detection minimizes traffic and focuses on the vulnerable service.
Use a ping sweep to identify live hosts, then perform a version scan on each.
Perform an ARP scan of the entire subnet and then check each host manually.
You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?
Traceroute
Traceroute increments TTL to get ICMP time-exceeded messages from routers, revealing the path.
Banner grabbing
DNS enumeration
SNMP walk
Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)
List of running processes
SNMP can retrieve hrSWRunTable which lists running processes.
Captured network packets
User account passwords
Modify network interface settings
Routing table entries
SNMP can read the ipRouteTable MIB object.
Want more Scanning Networks and Enumeration practice?
Practice this domainA penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?
Nikto
Hydra
Nmap
enum4linux
Correct: enum4linux extracts SMB information like users, shares, and OS details.
An ethical hacker is assessing a Linux web server running Apache. The server is suspected to have a remote file inclusion (RFI) vulnerability. Which testing approach is most appropriate to confirm the vulnerability without causing damage?
Craft a request with a local file inclusion parameter pointing to /etc/passwd
This safely confirms RFI by reading a local file, proving the vulnerability.
Use SQLMap to test for SQL injection
Scan the server with Nikto to detect known RFI signatures
Attempt to include a remote URL containing a web shell
During a penetration test, a tester gains access to a Linux system and needs to escalate privileges. The tester finds that the user has sudo privileges to run /usr/bin/less as root without a password. Which technique should the tester use to escalate privileges?
Exploit a kernel vulnerability using a local exploit
Run /usr/bin/less with sudo, then type !/bin/bash to spawn a root shell
less allows command execution via ! when run with elevated privileges.
Use the find command with -exec to execute a shell
Check for world-writable scripts in cron jobs
A security analyst runs a vulnerability scan and finds that a server is vulnerable to CVE-2021-44228 (Log4j). Which of the following is the best immediate remediation step?
Update Log4j to version 2.17.1 or later
Patching directly addresses the vulnerability.
Remove the JndiLookup class from the Log4j jar
Disable JDBC appender in Log4j configuration
Block outbound traffic from the server to the internet
An ethical hacker is testing a web application that uses cookies for session management. The tester notices that the session cookie does not have the HttpOnly or Secure flags set. Which attack is most likely to succeed due to this misconfiguration?
SQL injection
Cross-site request forgery (CSRF)
Session hijacking via cross-site scripting (XSS)
XSS can steal cookies if HttpOnly is not set.
Clickjacking
Which TWO of the following are valid techniques for password cracking?
Brute-force attack
Tries all possible passwords until correct.
Phishing
Man-in-the-middle attack
Rainbow table attack
Uses precomputed hash chains to reverse hashes.
Keylogging
Want more Vulnerability Analysis and System Hacking practice?
Practice this domainA security analyst captures a large number of unique initialization vectors (IVs) from a wireless network using airodump-ng. Which attack are they MOST likely preparing to execute?
WPS PIN brute-force attack
Evil twin AP deployment
WEP key recovery using aircrack-ng
Correct. WEP cracking relies on collecting many unique IVs to exploit statistical weaknesses in the RC4 algorithm.
WPA handshake capture
During a penetration test, an analyst runs the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. What is the PRIMARY purpose of this command?
Perform a de-authentication attack on the target AP
Capture the 4-way handshake for WPA cracking
Brute-force the WPS PIN to recover the Wi-Fi passphrase
Correct. Reaver performs a brute-force attack on the WPS PIN, exploiting the weak PIN-based authentication.
Scan for nearby access points and their BSSIDs
A cloud security engineer discovers that an S3 bucket named 'acme-backups' is accessible to anyone with the bucket URL. The bucket contains sensitive customer data. Which AWS shared responsibility model component does this misconfiguration primarily violate?
AWS is responsible for physical security of data centers
The customer is responsible for patching the S3 service
The customer is responsible for configuring access controls and permissions
Correct. S3 bucket policies and permissions are customer-managed security controls.
AWS is responsible for network infrastructure; the customer for data classification
An IoT device uses the MQTT protocol without any authentication or encryption. An attacker on the same network subscribes to all topics on the MQTT broker. Which of the following is the MOST effective immediate countermeasure?
Disable the MQTT broker entirely and switch to HTTP
Implement client authentication and enable TLS encryption
Correct. Enforcing authentication and TLS protects the MQTT communication from unauthorized access and sniffing.
Change the default topic names to obfuscated strings
Use a VPN for all IoT device communication
Which cryptographic algorithm is classified as symmetric and uses a block cipher with a fixed block size of 128 bits, supporting key sizes of 128, 192, and 256 bits?
RC4
3DES
AES
Correct. AES is a symmetric block cipher with 128-bit blocks and variable key sizes.
RSA
A security analyst observes the following log entry on a web server: 'GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1'. This request appears to originate from a compromised web application. Which cloud attack technique is being attempted?
Server-Side Request Forgery (SSRF)
Correct. The request to the cloud metadata service is a classic SSRF attack to obtain instance credentials.
SQL Injection
Container escape
Cross-Site Scripting (XSS)
Want more Advanced Topics: Wireless, Cloud, IoT, Cryptography practice?
Practice this domainA penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?
Query the Netcraft site for the domain
Perform a WHOIS lookup against the domain
WHOIS provides IP range and ISP info.
Use nslookup to query the authoritative name servers
Run a traceroute to the target web server
During the reconnaissance phase, a tester discovers that the target company's email server is configured to automatically respond to delivery status notifications (DSNs). Which type of attack could this information facilitate?
DNS cache poisoning
Email enumeration
DSN responses can confirm valid addresses.
Man-in-the-middle attack
Phishing attack
A security analyst is tasked with performing passive reconnaissance on a target organization. Which of the following is the BEST approach to gather information about the target's technology stack without directly interacting with the target's systems?
Engage in social engineering via phone calls
Use Shodan to search for target infrastructure
Shodan indexes public data passively.
Initiate a DNS zone transfer request
Perform a port scan with Nmap
An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?
Run a traceroute to the main domain
Check the WHOIS record for the domain
Use the site: operator in search engines
Search engines index subdomains.
Perform a reverse DNS lookup on the target IP range
During footprinting, a tester finds that the target's DNS server allows recursive queries from the internet. What is the MOST significant security implication of this finding?
Unauthorized zone transfers are possible
The DNS server can be used for denial of service (amplification)
The DNS cache can be poisoned easily
The DNS server can be used for denial of service
Open recursion enables amplification DDoS.
Which TWO of the following are examples of passive footprinting techniques? (Select exactly 2.)
Performing a ping sweep on the target network
Conducting a port scan with Nmap
Using Google dorking to find exposed documents
Uses search engine index, passive.
Examining job postings for technology clues
Public info gathering, no direct interaction.
Brute forcing subdomains via DNS queries
Want more Footprinting and Reconnaissance practice?
Practice this domainDuring a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?
SQL Injection
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Reflected XSS is the direct result of unsanitized input displayed in the browser.
Command Injection
As a network defender, you notice an unusually high number of incomplete TCP three-way handshakes from a single external IP to multiple internal hosts. What is the most likely attack taking place?
UDP flood
SYN flood
SYN flood sends many SYN packets without completing handshake.
ARP spoofing
ICMP flood
A security analyst is configuring a web application firewall (WAF) to protect against SQL injection. Which HTTP parameter location should the analyst focus on to block malicious SQL queries?
Query string parameters
Query string parameters are a common vector for SQL injection.
Request body (POST data)
Cookie headers
User-Agent header
You are performing a web application security assessment and discover that the application uses a hidden form field named 'price' to store the product price. The price is submitted with the form and used to process payments. Which attack would allow you to purchase an item for a lower price?
Directory traversal
Parameter tampering
Parameter tampering modifies hidden fields or URL parameters.
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
A network administrator wants to prevent an attacker from using a network sniffer to capture traffic between a client and a web server. Which protocol should be enforced to encrypt all communication?
SNMP
FTP
HTTPS
HTTPS encrypts data with TLS.
HTTP
Which TWO of the following are common web application vulnerabilities that allow an attacker to inject malicious code? (Select exactly 2)
Brute Force
Cross-Site Scripting (XSS)
XSS injects client-side scripts.
Path Traversal
SQL Injection
SQL injection injects SQL queries.
Cross-Site Request Forgery (CSRF)
Want more Network and Web Application Attacks practice?
Practice this domainA security analyst discovers that an IoT device in a smart building is periodically sending small DNS queries to an external domain known for command-and-control activity. Which security control should be implemented to detect and block such traffic without disrupting legitimate operations?
Install a host-based firewall on the IoT device to restrict outbound traffic.
Deploy an intrusion detection system (IDS) on the network to alert on suspicious DNS queries.
Configure egress filtering on the firewall to block outbound connections to known malicious domains.
Egress filtering prevents malicious outbound traffic.
Disable DNS resolution on the IoT device to prevent any external communication.
A cloud security engineer notices that an S3 bucket containing sensitive customer data is configured with a bucket policy that allows 'Principal': '*' and 'Action': 's3:GetObject'. The bucket is not publicly accessible via the AWS Management Console, but the engineer is concerned about data exposure. What is the most likely risk?
Anyone on the internet can read objects in the bucket if they know the object URL.
Public read access is granted to all objects.
The data is encrypted at rest, so no exposure risk exists.
The bucket policy is misconfigured but only affects objects with server-side encryption.
Only authenticated AWS users can access the bucket, so the risk is limited.
During a penetration test of a corporate wireless network, you capture a WPA2 handshake and successfully recover the PSK. Later, you notice that some clients are using WPA3-Personal. Which attack could be used to downgrade a WPA3 client to WPA2 and capture its handshake?
Perform a PMKID attack on the WPA3 client to capture the handshake.
Use a WPS PIN brute-force attack against the WPA3 client.
Send deauthentication packets to the WPA3 client and capture the reconnection handshake.
Set up a rogue access point broadcasting a WPA2 network with the same SSID, forcing the client to reconnect using WPA2.
Rogue AP can entice client to downgrade.
A company deploys IoT sensors in a remote facility with limited bandwidth. The sensors send small data packets every few seconds. Which wireless technology is most appropriate for this application?
4G LTE
Wi-Fi 6
Bluetooth 5
LoRaWAN
Optimized for low-power, long-range IoT.
A security analyst detects multiple failed authentication attempts on a cloud-based SSH server from a single IP address. The analyst implements a rule to block that IP. However, the attacks continue from different IPs. Which additional control should be implemented to reduce the attack surface?
Disable password authentication and use SSH key-based authentication.
Keys are resistant to brute-force.
Install fail2ban to automatically block IPs after failures.
Implement rate-limiting on SSH connections per IP.
Change the SSH port to a non-standard port.
During a wireless penetration test, you discover that the target network uses WPA2-Enterprise with PEAP-MSCHAPv2. You capture the authentication traffic of a legitimate user. Which attack can you perform to recover the user's domain credentials?
Decrypt the traffic using the captured handshake to get the credentials.
WPS PIN brute-force to recover the PSK.
PMKID attack to crack the pre-shared key.
Set up a rogue RADIUS server to capture the challenge-response and perform an offline brute-force attack.
Rogue RADIUS can capture hashes for cracking.
Want more Wireless, IoT and Cloud Security practice?
Practice this domainA security analyst receives an alert about a suspicious file hash. The analyst wants to check if the file is known malware by querying an online database of malware signatures. Which tool should the analyst use?
Nmap
John the Ripper
VirusTotal
VirusTotal accepts file hashes and returns detection results from many AV engines.
Wireshark
During a penetration test, an ethical hacker finds that a web application transmits sensitive data in plaintext over HTTPS. Which of the following best describes this security issue?
Weak TLS cipher suite
Lack of application-layer encryption
The data is encrypted in transit but not at rest or before being sent; the application does not encrypt sensitive fields.
SSL stripping attack
Man-in-the-middle attack
A company's internal PKI uses an offline root CA and an online issuing CA. A security engineer needs to revoke a compromised certificate issued by the online CA. Which CRL distribution point should the engineer update?
The CRL published by the certificate authority that signed the issuing CA's certificate
The CRL published by the intermediate CA, if any
The CRL published by the online issuing CA
The issuing CA is responsible for revoking certificates it issued.
The CRL published by the offline root CA
A security analyst suspects that a user's machine is infected with a keylogger. Which of the following is the most effective method to detect a hardware keylogger?
Check running processes for suspicious entries
Physically inspect the connection between the keyboard and the computer
Hardware keyloggers are physical devices inserted inline.
Review USB device history in Event Viewer
Run an antivirus scan
An ethical hacker is analyzing a piece of malware that uses a custom encryption algorithm. The malware sample contains a hardcoded key that is 16 bytes long. The analyst observes that the encrypted data is the same length as the plaintext. Which encryption mode is most likely being used?
GCM
CFB
ECB
ECB encrypts each block independently; no IV, no expansion beyond padding.
CBC
During a forensic investigation, an analyst finds that a malware sample uses a technique to detect if it is running in a sandbox by checking the number of CPU cores. The malware terminates execution if the core count is less than 2. Which anti-analysis technique is this?
Code obfuscation
Anti-debugging
Anti-VM / sandbox evasion
Checking for low resource counts is a common sandbox evasion technique.
Packing
Want more Cryptography and Malware Analysis practice?
Practice this domainA penetration tester is assessing an organization's physical security. The tester wants to gain unauthorized access to a secured server room that uses a biometric fingerprint scanner. Which of the following techniques would be MOST effective for bypassing the biometric scanner?
Shoulder surfing the authorized user's fingerprint pattern
Picking the lock on the server room door
Using a gelatin mold of an authorized user's fingerprint
Gelatin molds can create replicas of fingerprints that may be accepted by some scanners.
Tailgating behind an authorized employee
During a social engineering engagement, a tester calls the help desk posing as an employee from the IT department. The tester claims to be working on a critical system update and needs the employee's password to proceed. Which type of social engineering attack is being executed?
Quid pro quo
Baiting
Pretexting
Pretexting involves creating a false identity or scenario to extract information.
Phishing
Which of the following is the BEST defense against tailgating attacks in a secure facility?
Hiring security guards
Reviewing keycard access logs
Installing CCTV cameras
Implementing a mantrap at the entrance
Mantraps physically enforce one-person entry, preventing tailgating.
An employee receives an email that appears to be from the CEO, asking the employee to urgently wire funds to a vendor. The email address is slightly misspelled. What type of social engineering attack is this?
Pharming
Spear phishing
Whaling
Whaling targets senior executives or impersonates them.
Vishing
Which TWO of the following are effective methods to prevent dumpster diving attacks? (Choose two.)
Storing all data on encrypted digital media only
Shredding sensitive documents before disposal
Shredding renders documents unreadable.
Using locked bins for discarded materials
Locked bins restrict physical access.
Placing documents in recycling bins
Burning all discarded paper documents
Which THREE of the following are common indicators of a social engineering attack? (Choose three.)
The communication includes verifiable contact information
The sender uses a generic greeting like 'Dear Customer'
The communication creates a sense of urgency
Attackers often pressure targets to act quickly.
The message contains spelling or grammatical errors
Errors can indicate a fake message.
The request comes from someone claiming to be in authority
Impersonating authority figures is common.
Want more Social Engineering and Physical Security practice?
Practice this domainThe CEH exam has 125 questions and must be completed in 240 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 13 domains: Footprinting, Reconnaissance and Scanning, Enumeration and System Hacking, Malware, Social Engineering and Network Attacks, Web Application and Injection Attacks, Introduction to Ethical Hacking, Scanning Networks and Enumeration, Vulnerability Analysis and System Hacking, Advanced Topics: Wireless, Cloud, IoT, Cryptography, Footprinting and Reconnaissance, Network and Web Application Attacks, Wireless, IoT and Cloud Security, Cryptography and Malware Analysis, Social Engineering and Physical Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official EC-Council CEH exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.