Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCEHExam Questions

EC-Council · Free Practice Questions · Last reviewed May 2026

CEH Exam Questions and Answers

78real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

125 exam questions
240 min time limit
Pass: 700/1000 / 1000
13 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Footprinting, Reconnaissance and Scanning2. Enumeration and System Hacking3. Malware, Social Engineering and Network Attacks4. Web Application and Injection Attacks5. Introduction to Ethical Hacking6. Scanning Networks and Enumeration7. Vulnerability Analysis and System Hacking8. Advanced Topics: Wireless, Cloud, IoT, Cryptography9. Footprinting and Reconnaissance10. Network and Web Application Attacks11. Wireless, IoT and Cloud Security12. Cryptography and Malware Analysis13. Social Engineering and Physical Security
1

Domain 1: Footprinting, Reconnaissance and Scanning

All Footprinting, Reconnaissance and Scanning questions
Q1
mediumFull explanation →

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A

Perform a full TCP connect scan with UDP service detection on all ports

B

Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

C

Perform an aggressive scan of all open ports and enumerate SMB shares

D

Perform a UDP scan on the four specified ports and identify running services

Why: Option B is correct because the `-sS` flag initiates a TCP SYN stealth scan, `-sV` enables service version detection, and `-O` attempts OS fingerprinting. The `-p 22,80,443,3389` limits the scan to those four ports, and the target `192.168.1.0/24` scans the entire Class C subnet. This combination performs a half-open scan on the specified ports, probes for application versions, and tries to identify the operating system of each live host.
Q2
easyFull explanation →

During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?

A

theHarvester

theHarvester is a passive OSINT tool that collects emails, subdomains, IPs, and names from public sources like Google, Bing, and LinkedIn.

B

Nmap

C

Netcat

D

Wireshark

Why: theHarvester is specifically designed for passive reconnaissance by querying public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API to collect email addresses, subdomains, and employee names without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement of gathering OSINT data without direct interaction.
Q3
mediumFull explanation →

A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?

A

The server is performing a DNS lookup to resolve the malicious IP address

B

The web application is sending log data to a SIEM system for analysis

C

A vulnerability discovered during the scan was exploited, establishing a reverse shell connection to the attacker

Port 4444 is commonly used for reverse shells. Outbound traffic to a malicious IP on this port indicates successful exploitation and a backdoor connection.

D

The vulnerability scan caused a false positive and triggered a legitimate backup process

Why: Option C is correct because outbound traffic on port 4444 from an internal server to a known malicious IP is a classic indicator of a reverse shell connection. A reverse shell is a common post-exploitation technique where an attacker forces the victim server to connect back to their listener, often on high ports like 4444, bypassing inbound firewall rules. The timing after a vulnerability scan strongly suggests that a discovered vulnerability (e.g., command injection, RCE) was exploited to establish this shell.
Q4
hardFull explanation →

During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?

A

The DNS server is using DNSSEC to secure zone transfers

B

The DNS server is vulnerable to zone transfer attacks, allowing unauthorized users to retrieve the entire zone file

A successful AXFR to an unauthenticated client indicates a misconfiguration that exposes internal network details.

C

The DNS server is properly configured and only allows zone transfers to authorized secondary servers

D

The target uses a split-DNS configuration with internal and external views

Why: The successful execution of `dnsrecon -d example.com -t axfr` and the receipt of an AXFR (full zone transfer) response indicates that the target DNS server is misconfigured to allow zone transfers from any host. A properly secured DNS server should restrict AXFR queries to only authorized secondary (slave) servers, typically by IP address or TSIG (Transaction Signature) keys. Since the command was run from an unauthorized client, this confirms a zone transfer vulnerability, allowing an attacker to retrieve the entire DNS zone file, which reveals all hostnames, IP addresses, and service records.
Q5
easyFull explanation →

Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?

A

site:admin login

B

filetype:pdf admin login

C

intitle:"login" inurl:admin

D

inurl:"admin" inurl:"login"

inurl:admin finds URLs containing 'admin', and inurl:login finds URLs containing 'login'. Combined, they find login pages with 'admin' in the URL.

Why: Option D is correct because the Google dork `inurl:"admin" inurl:"login"` specifically searches for pages where both 'admin' and 'login' appear in the URL. This is a precise way to find login pages on administrative interfaces, as it targets URLs containing both terms, which is a common pattern for admin login portals.
Q6
mediumFull explanation →

A security team wants to identify all live hosts on a large, Class B private IP network (172.16.0.0/16) as quickly as possible while minimizing network load. Which tool and technique should they use?

A

Masscan with --ping to send ICMP echo requests across the /16 range

Masscan can send ICMP echo requests at very high rates, making it ideal for fast host discovery on large networks.

B

Use theHarvester to query DNS records for the domain

C

Nmap with -sn (ping sweep) on all 65536 IPs

D

hping3 with --icmp on each IP sequentially

Why: Masscan is designed for high-speed scanning and can send ICMP echo requests across a /16 range (65,536 IPs) in seconds, far faster than Nmap or hping3, while its --ping mode minimizes network load by using stateless packet transmission. This makes it the optimal choice for quickly identifying live hosts on a large private network without overwhelming the network.

Want more Footprinting, Reconnaissance and Scanning practice?

Practice this domain
2

Domain 2: Enumeration and System Hacking

All Enumeration and System Hacking questions
Q1
easyFull explanation →

A security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?

A

nslookup

B

netstat

C

nbtstat

nbtstat is the correct command for NetBIOS name resolution and enumeration.

D

net view

Why: The nbtstat command is the correct built-in Windows tool for enumerating NetBIOS names because it directly queries and displays NetBIOS over TCP/IP (NetBT) statistics, name tables, and caches. NetBIOS name enumeration relies on the NBT protocol (RFC 1001/1002), and nbtstat -a or -A retrieves the remote machine's NetBIOS name table, which includes service types like file sharing, messaging, and workstation services.
Q2
easyFull explanation →

During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BEST next step according to the CEH system hacking methodology (CHPSET)?

A

Execute applications to extract data

B

Hide files to conceal tools and data

C

Erase event logs to avoid detection

D

Escalate privileges to gain higher-level access

Privilege escalation is the third step in CHPSET, following cracking passwords and hiding files, and is appropriate after initial low-privileged access.

Why: The CEH methodology follows: Cracking passwords, Hiding files, Privilege escalation, Executing applications, Spying, Erasing tracks. After gaining initial access as a low-privileged user, the next logical step is to escalate privileges to gain higher access (e.g., administrator or root).
Q3
mediumFull explanation →

A security analyst observes a suspicious SUID binary /usr/bin/evil in a Linux system. Which type of vulnerability does this indicate, and what is the MOST likely objective of an attacker who placed it?

A

Information disclosure; read sensitive files

B

Privilege escalation; gain root access

SUID binaries allow execution with elevated permissions; a root-owned SUID binary can be used to escalate to root.

C

Denial of service; crash the system

D

Buffer overflow; execute arbitrary code

Why: A SUID binary owned by root that is not part of the standard OS distribution (like /usr/bin/evil) is a classic indicator of a privilege escalation backdoor. The SUID bit allows any user who executes the binary to run it with the owner's permissions—in this case, root—so the attacker's objective is to gain root access by executing this binary.
Q4
mediumFull explanation →

A penetration tester runs the following command against a target Linux server: smbclient -L 192.168.1.10 -N. The output lists several shares including 'Admin$', 'C$', and 'IPC$'. Which of the following is the MOST likely next step for further enumeration?

A

Use enum4linux -a 192.168.1.10 to enumerate users and policies

enum4linux is a tool for SMB enumeration; -a runs all enumeration options, which is appropriate after discovering shares.

B

Attempt to crack the administrator password using a dictionary attack

C

Perform a port scan to check for open ports

D

Run snmpwalk to retrieve SNMP community strings

Why: The `smbclient -L` command with the `-N` flag (null session) successfully lists SMB shares on the target, including administrative shares like `Admin$`, `C$`, and `IPC$`. This indicates that null session authentication is enabled, which is a classic entry point for SMB enumeration. The most logical next step is to use `enum4linux -a` to extract detailed information such as user lists, group policies, and share permissions, leveraging the same null session to deepen the enumeration without yet attempting password attacks.
Q5
mediumFull explanation →

An attacker uses the VRFY command on an SMTP server to check the existence of email addresses. The server responds with '250 OK' for 'admin@company.com' and '550 No such user' for 'fake@company.com'. Which SMTP enumeration technique is being used?

A

EXPN enumeration

B

SMTP banner grabbing

C

RCPT TO enumeration

D

VRFY enumeration

The VRFY command verifies whether a mailbox exists, and the response codes confirm this technique.

Why: The VRFY command is an SMTP command defined in RFC 821 that asks the server to verify whether a given email address exists. When the server responds with '250 OK' for a valid address and '550 No such user' for an invalid one, the attacker is directly using the VRFY command to enumerate valid users. This is explicitly known as VRFY enumeration.
Q6
mediumFull explanation →

A security analyst finds multiple failed login attempts in the system logs, followed by a successful login from an unusual IP address. The attacker then deleted the log entries for that session. Which step of the system hacking methodology (CHPSET) does the log deletion represent?

A

Spying

B

Executing applications

C

Cracking passwords

D

Erasing tracks

Deleting log entries is a classic example of erasing tracks to avoid detection.

Why: The log deletion represents the 'Erasing tracks' step in the CHPSET methodology. After gaining unauthorized access, attackers must cover their footprints by removing evidence of their activities, such as clearing system logs, modifying timestamps, or deleting audit trails. This ensures the intrusion remains undetected by system administrators or security monitoring tools.

Want more Enumeration and System Hacking practice?

Practice this domain
3

Domain 3: Malware, Social Engineering and Network Attacks

All Malware, Social Engineering and Network Attacks questions
Q1
mediumFull explanation →

A security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?

A

UDP flood

B

Ping of Death

C

Smurf attack

Correct. The large number of ICMP Echo Replies from multiple sources to a single target is characteristic of a Smurf attack.

D

ICMP flood

Why: A Smurf attack sends ICMP Echo Request packets to a network broadcast address with a spoofed source IP (the target). All hosts on the network reply to the target, flooding it with ICMP Echo Replies.
Q2
easyFull explanation →

A user receives a phone call from someone claiming to be from IT support, asking for their password to troubleshoot an issue. Which social engineering technique is being used?

A

Phishing

B

Pretexting

Correct. The attacker uses a false pretext (IT support) to obtain sensitive information.

C

Baiting

D

Vishing

Why: Pretexting involves creating a fabricated scenario (pretext) to obtain information. Here the attacker pretends to be IT support to trick the user into revealing their password.
Q3
mediumFull explanation →

Which tool would a penetration tester MOST likely use to perform ARP poisoning and conduct a man-in-the-middle attack on a local network?

A

Wireshark

B

Nmap

C

tcpdump

D

Ettercap

Correct. Ettercap is specifically designed for MITM attacks using ARP poisoning.

Why: Ettercap is a comprehensive suite for man-in-the-middle attacks, including ARP poisoning, DNS spoofing, and packet sniffing.
Q4
hardFull explanation →

An analyst observes the following output from Wireshark: a TCP packet with the SYN flag set, followed by a SYN-ACK, then an ACK, and then a RST. The sequence numbers show a pattern: initial seq=100, ack=300, then seq=300, ack=101. What is the MOST likely interpretation?

A

An attacker is performing TCP sequence prediction to hijack the session.

Correct. The sequence numbers show successful prediction, and the RST may be used to reset the connection after hijacking.

B

A normal TCP connection establishment followed by an immediate termination.

C

A man-in-the-middle attack using ARP spoofing.

D

A TCP SYN flood attack is in progress.

Why: The sequence numbers (100, 300) suggest the attacker correctly guessed the TCP sequence numbers to spoof a connection. The three-way handshake completes (SYN, SYN-ACK, ACK), then the attacker sends a RST to close. This is indicative of TCP sequence prediction attack (session hijacking attempt).
Q5
mediumFull explanation →

A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?

A

Upload to VirusTotal

B

Dynamic analysis in a sandbox

C

Static analysis using strings and PEiD

Correct. Static analysis can reveal suspicious strings, packed executables, or invalid signatures without execution.

D

Run the file on a production system to observe behavior

Why: Static analysis (e.g., examining strings, digital signatures, PE headers) is the first step because it is safe and can quickly identify suspicious indicators without executing the file.
Q6
mediumFull explanation →

An organization is experiencing repeated DDoS attacks that consume all available bandwidth. Which mitigation technique is MOST effective for handling such volumetric attacks?

A

Blackholing all traffic to the target IP

B

Anycast network distribution

C

Rate limiting on the firewall

D

Scrubbing centers

Correct. Scrubbing centers are designed to filter out attack traffic and allow clean traffic through.

Why: Scrubbing centers filter malicious traffic and forward clean traffic to the target, handling high-volume attacks effectively.

Want more Malware, Social Engineering and Network Attacks practice?

Practice this domain
4

Domain 4: Web Application and Injection Attacks

All Web Application and Injection Attacks questions
Q1
mediumFull explanation →

A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?

A

Time-based SQL injection

Time-based SQL injection uses database delay functions (e.g., SLEEP()) to infer information based on response times.

B

Reflected XSS

C

Blind boolean-based SQL injection

D

CSRF

Why: Time-based SQL injection involves injecting SQL code that causes the database to pause if a condition is true, allowing an attacker to infer information based on response times. The observed difference in response times for valid vs. invalid usernames is characteristic of this technique.
Q2
easyFull explanation →

Which of the following tools is commonly used to automate the detection and exploitation of SQL injection vulnerabilities?

A

SQLMap

SQLMap is designed to automate SQL injection detection and exploitation.

B

Metasploit

C

Nmap

D

Burp Suite

Why: SQLMap is a widely used open-source tool that automates the process of detecting and exploiting SQL injection flaws in web applications.
Q3
hardFull explanation →

A penetration tester intercepts the following request using Burp Suite: POST /change_password HTTP/1.1 Host: example.com Cookie: sessionid=abc123; SameSite=Lax Content-Type: application/x-www-form-urlencoded new_password=Hacker123 The tester successfully crafts a CSRF attack by embedding a hidden form in a malicious page. Which mitigation is most likely missing?

A

SameSite=Strict

B

HTTPOnly flag

C

Secure flag

D

CSRF token

A CSRF token would prevent the attack because the malicious site cannot guess the token.

Why: The presence of a SameSite cookie set to Lax does not prevent CSRF for state-changing requests like password change if the attack uses a GET or POST from a top-level navigation. However, the primary missing mitigation is a CSRF token, which is a unique unpredictable value tied to the session and validated by the server.
Q4
mediumFull explanation →

A web application allows users to upload profile pictures. An attacker uploads a file named "profile.php" containing malicious PHP code. When the attacker visits the uploaded file's URL, the code executes. Which vulnerability is being exploited?

A

Directory traversal

B

Command injection

C

File upload vulnerability

The attacker uploaded a malicious PHP file that executes, indicating a file upload vulnerability.

D

Stored XSS

Why: The application fails to validate the file type or restrict execution, allowing a malicious PHP file to be uploaded and executed on the server, which is a classic file upload vulnerability leading to remote code execution.
Q5
mediumFull explanation →

An analyst observes the following log entry on a web server: GET /../../etc/passwd HTTP/1.1 200. Which type of attack is indicated?

A

Directory traversal

The use of '../' to access files outside the web root is directory traversal.

B

SSRF

C

LFI

D

Command injection

Why: The log shows a request attempting to traverse directories using '../' to access a sensitive system file (/etc/passwd), which is directory traversal.
Q6
hardFull explanation →

During a penetration test, a tester uses the following payload in a search field: <script>alert(document.cookie)</script>. The payload is reflected in the response without sanitization. However, the tester notices that the attack only works when the payload is submitted via a POST request, not GET. Which type of XSS is this?

A

Stored XSS

B

Reflected XSS

The payload is reflected immediately, making it reflected XSS.

C

DOM-based XSS

D

Self-XSS

Why: Reflected XSS occurs when the payload is reflected immediately in the response. The fact that it works via POST but not GET does not change the classification; it is still reflected XSS because the payload is not stored on the server. Some reflected XSS may be triggered only via POST parameters.

Want more Web Application and Injection Attacks practice?

Practice this domain
5

Domain 5: Introduction to Ethical Hacking

All Introduction to Ethical Hacking questions
Q1
mediumFull explanation →

A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?

A

TCP connect scan

B

UDP scan

C

SYN scan

SYN scan sends SYN packets; lack of SYN-ACK indicates filtered/closed ports.

D

FIN scan

Why: C is correct because a SYN scan (also known as a half-open scan) sends TCP SYN packets to target ports and does not complete the three-way handshake. If no SYN-ACK is returned, it indicates the port is filtered or the host is not responding, which matches the scenario where the attacker receives no SYN-ACK responses. This scan is stealthier than a full TCP connect scan because it never establishes a full connection.
Q2
hardFull explanation →

During a penetration test, an ethical hacker needs to evade an IDS that detects port scans based on the number of packets per second. Which technique would be most effective to avoid detection?

A

Use random source ports

B

Use a decoy scan

C

Slow down the scan rate

Reducing packets per second avoids triggering rate-based IDS thresholds.

D

Use fragmented packets

Why: Option C is correct because slowing down the scan rate reduces the number of packets sent per second below the IDS threshold, allowing the scan to blend in with normal traffic. IDS systems like Snort use packet-per-second (pps) counters to detect port scans; by spacing out packets over a longer period, the scan avoids triggering these rate-based alerts.
Q3
easyFull explanation →

A company wants to test the security of its web application by simulating attacks from an external perspective. They have no prior knowledge of the internal network or application architecture. Which type of test should they perform?

A

Black-box test

Black-box test simulates an external attacker with no prior knowledge.

B

White-box test

C

Red team engagement

D

Gray-box test

Why: A black-box test is the correct choice because the company has no prior knowledge of the internal network or application architecture. This simulates an external attacker with zero insider information, testing the application from an outsider's perspective without access to source code, network diagrams, or credentials. The test relies solely on publicly available information and direct interaction with the application's interfaces.
Q4
mediumFull explanation →

Which TWO of the following are recognized phases of the Ethical Hacking process? (Select TWO.)

A

Maintaining Access

Maintaining Access is a phase after gaining access.

B

Scanning

C

Reconnaissance

Reconnaissance is the first phase of ethical hacking.

D

Hiding Evidence

E

Cracking

Why: Maintaining Access is a recognized phase in the Ethical Hacking process, as defined by the EC-Council's CEH methodology. After gaining initial access, the ethical hacker must establish persistent access to the target system, often by installing backdoors, rootkits, or creating user accounts. This phase ensures the hacker can return to the system without repeating the exploitation steps, which is critical for simulating a real attacker's long-term presence.
Q5
hardFull explanation →

Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the port is reachable but no service is listening?

A

open

B

closed

Closed means reachable but no service listening.

C

filtered

D

unfiltered

Why: Option B is correct because a 'closed' port in Nmap indicates that the target host responded with a TCP RST (Reset) packet, meaning the port is reachable and the host is alive, but no application is listening on that port. This state confirms the port is accessible (not filtered by a firewall) yet no service is bound to it.
Q6
mediumFull explanation →

You are an ethical hacker hired to assess the security of a mid-sized company's internal network. The company has three departments: Sales, Engineering, and HR, each on separate VLANs. The network uses a single firewall with default-deny rules, but inter-VLAN routing is allowed for specific ports (e.g., HR needs to access Sales database on TCP 1433). During reconnaissance, you discover that the Engineering VLAN has a web server running on port 80 that is accessible from all VLANs. You also find that the Sales VLAN has a file share (SMB) on port 445 that is accessible only from HR. The firewall logs show numerous failed SSH attempts from an external IP to the Engineering web server. Which action should you recommend as the most effective immediate step to reduce the attack surface?

A

Implement a password policy requiring complex passwords for all users.

B

Enable two-factor authentication on the web server.

C

Apply the latest security patches to the web server.

D

Restrict access to the Engineering web server to only the Engineering VLAN.

This immediately reduces the attack surface by limiting unnecessary access.

Why: Option D is correct because the Engineering web server is unnecessarily exposed to all VLANs, including potentially compromised segments. By restricting access to only the Engineering VLAN, you eliminate the attack surface from the Sales and HR VLANs, which is the most immediate and effective reduction in exposure. This aligns with the principle of least privilege and network segmentation, directly mitigating the risk of lateral movement from other VLANs.

Want more Introduction to Ethical Hacking practice?

Practice this domain
6

Domain 6: Scanning Networks and Enumeration

All Scanning Networks and Enumeration questions
Q1
mediumFull explanation →

During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?

A

A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.

Stateful firewalls track connection states; they may block unsolicited SYN but allow replies.

B

The web server is running on a non-standard port that you did not scan.

C

The server's TCP/IP stack is misconfigured and does not respond to SYN scans.

D

A web application firewall is blocking the SYN scan traffic.

Why: A stateful firewall tracks the state of network connections. When you browse to the server, your browser initiates an outbound TCP connection, and the firewall allows the return SYN-ACK packets as part of the established session. However, a standalone TCP SYN scan sends unsolicited SYN packets to port 80, which the firewall sees as a new inbound connection attempt and blocks, preventing the server from responding. The server's ICMP echo reply is allowed because ICMP is stateless and not typically filtered by the same rules.
Q2
easyFull explanation →

A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?

A

TCP SYN scan using `nmap -sS`

B

ARP scan using `nmap -PR`

C

Ping sweep using `nmap -sn`

`-sn` disables port scan and sends only ICMP echo, TCP SYN to port 443, etc., minimizing traffic.

D

UDP scan using `nmap -sU`

Why: Option C is correct because `nmap -sn` (ping sweep) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default, allowing the analyst to discover live hosts without scanning every port or sending packets to every IP individually. This minimizes network traffic compared to full port scans while still efficiently identifying active devices on the 192.168.1.0/24 subnet.
Q3
hardFull explanation →

During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?

A

Perform banner grabbing on port 22 to identify the SSH version.

SSH version information can reveal outdated versions with known exploits.

B

Perform SNMP enumeration to gather system information.

C

Attempt a DNS zone transfer from the server.

D

Enumerate NetBIOS names using `nbtstat`.

Why: Banner grabbing on port 22 (SSH) is the most valuable next step because it directly identifies the SSH server version (e.g., OpenSSH 7.4). Knowing the exact version allows you to cross-reference known vulnerabilities (CVEs) for that specific SSH implementation, which is a common high-risk attack vector during internal penetration tests. While version detection already identified the service, banner grabbing can reveal additional details like patch levels or configuration quirks that version detection might miss.
Q4
mediumFull explanation →

A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?

A

Conduct a full TCP port scan of the entire network using SYN scan.

B

Run a TCP SYN scan on port 22 only, with version detection enabled, across the target IP range.

Scanning only the relevant port with version detection minimizes traffic and focuses on the vulnerable service.

C

Use a ping sweep to identify live hosts, then perform a version scan on each.

D

Perform an ARP scan of the entire subnet and then check each host manually.

Why: Option B is correct because it targets only TCP port 22 (the default SSH port) with a SYN scan, which is stealthier and faster than a full connect scan, and enables version detection to identify the specific vulnerable OpenSSH version. This minimizes disruption by avoiding scanning unnecessary ports and reduces network load, while accurately pinpointing vulnerable hosts.
Q5
easyFull explanation →

You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?

A

Traceroute

Traceroute increments TTL to get ICMP time-exceeded messages from routers, revealing the path.

B

Banner grabbing

C

DNS enumeration

D

SNMP walk

Why: Traceroute is the correct technique because it is specifically designed to map the path packets take from a source to a destination by manipulating the Time-to-Live (TTL) field in IP headers. As each hop decrements the TTL, routers along the path send ICMP Time Exceeded messages (or UDP responses in some implementations), revealing their IP addresses and thus identifying intermediate devices like routers and firewalls.
Q6
hardFull explanation →

Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)

A

List of running processes

SNMP can retrieve hrSWRunTable which lists running processes.

B

Captured network packets

C

User account passwords

D

Modify network interface settings

E

Routing table entries

SNMP can read the ipRouteTable MIB object.

Why: SNMP enumeration with the default 'public' community string (read-only access) allows querying MIB objects that expose system information. The 'hostResources' MIB (RFC 2790) includes the 'hrSWRunTable', which lists running processes, and the 'ipRouteTable' (RFC 1213) provides routing table entries. These are standard read-only OIDs accessible without authentication.

Want more Scanning Networks and Enumeration practice?

Practice this domain
7

Domain 7: Vulnerability Analysis and System Hacking

All Vulnerability Analysis and System Hacking questions
Q1
easyFull explanation →

A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?

A

Nikto

B

Hydra

C

Nmap

D

enum4linux

Correct: enum4linux extracts SMB information like users, shares, and OS details.

Why: enum4linux is a tool specifically designed to enumerate information from Windows and Samba systems via SMB. It leverages the SMB protocol to extract users, shares, OS details, and other system information from a target with port 445 open, making it the correct choice for this scenario.
Q2
mediumFull explanation →

An ethical hacker is assessing a Linux web server running Apache. The server is suspected to have a remote file inclusion (RFI) vulnerability. Which testing approach is most appropriate to confirm the vulnerability without causing damage?

A

Craft a request with a local file inclusion parameter pointing to /etc/passwd

This safely confirms RFI by reading a local file, proving the vulnerability.

B

Use SQLMap to test for SQL injection

C

Scan the server with Nikto to detect known RFI signatures

D

Attempt to include a remote URL containing a web shell

Why: Option A is correct because it uses a local file inclusion (LFI) parameter to test for file inclusion without causing damage. By attempting to include /etc/passwd, the tester can verify if the server processes user-supplied input to include files, which is a direct indicator of an RFI vulnerability if the server returns the file contents. This approach is safe and non-destructive, as it only reads a standard system file.
Q3
hardFull explanation →

During a penetration test, a tester gains access to a Linux system and needs to escalate privileges. The tester finds that the user has sudo privileges to run /usr/bin/less as root without a password. Which technique should the tester use to escalate privileges?

A

Exploit a kernel vulnerability using a local exploit

B

Run /usr/bin/less with sudo, then type !/bin/bash to spawn a root shell

less allows command execution via ! when run with elevated privileges.

C

Use the find command with -exec to execute a shell

D

Check for world-writable scripts in cron jobs

Why: Option B is correct because when a user has sudo privileges to run /usr/bin/less as root without a password, the tester can leverage the fact that less can execute shell commands from within its interface. By running 'sudo /usr/bin/less' and then typing '!/bin/bash', the tester spawns a root shell, effectively escalating privileges to root.
Q4
easyFull explanation →

A security analyst runs a vulnerability scan and finds that a server is vulnerable to CVE-2021-44228 (Log4j). Which of the following is the best immediate remediation step?

A

Update Log4j to version 2.17.1 or later

Patching directly addresses the vulnerability.

B

Remove the JndiLookup class from the Log4j jar

C

Disable JDBC appender in Log4j configuration

D

Block outbound traffic from the server to the internet

Why: Option A is correct because CVE-2021-44228 (Log4Shell) is a remote code execution vulnerability in Apache Log4j versions 2.0 through 2.14.1, triggered by JNDI lookups in log messages. Updating to Log4j 2.17.1 or later fully patches the flaw by disabling JNDI lookups by default and fixing the LDAP deserialization vector. This is the vendor-recommended immediate remediation step as it addresses the root cause without relying on workarounds.
Q5
mediumFull explanation →

An ethical hacker is testing a web application that uses cookies for session management. The tester notices that the session cookie does not have the HttpOnly or Secure flags set. Which attack is most likely to succeed due to this misconfiguration?

A

SQL injection

B

Cross-site request forgery (CSRF)

C

Session hijacking via cross-site scripting (XSS)

XSS can steal cookies if HttpOnly is not set.

D

Clickjacking

Why: Option C is correct because the absence of the HttpOnly flag allows JavaScript to access the session cookie via `document.cookie`. An attacker can exploit a cross-site scripting (XSS) vulnerability to steal the cookie and perform session hijacking. The missing Secure flag further exposes the cookie to interception over unencrypted HTTP connections, making the attack easier to execute.
Q6
hardFull explanation →

Which TWO of the following are valid techniques for password cracking?

A

Brute-force attack

Tries all possible passwords until correct.

B

Phishing

C

Man-in-the-middle attack

D

Rainbow table attack

Uses precomputed hash chains to reverse hashes.

E

Keylogging

Why: A brute-force attack is a valid password cracking technique that systematically tries every possible combination of characters until the correct password is found. It is computationally intensive but guaranteed to succeed given enough time, making it a fundamental method in password auditing and recovery.

Want more Vulnerability Analysis and System Hacking practice?

Practice this domain
8

Domain 8: Advanced Topics: Wireless, Cloud, IoT, Cryptography

All Advanced Topics: Wireless, Cloud, IoT, Cryptography questions
Q1
easyFull explanation →

A security analyst captures a large number of unique initialization vectors (IVs) from a wireless network using airodump-ng. Which attack are they MOST likely preparing to execute?

A

WPS PIN brute-force attack

B

Evil twin AP deployment

C

WEP key recovery using aircrack-ng

Correct. WEP cracking relies on collecting many unique IVs to exploit statistical weaknesses in the RC4 algorithm.

D

WPA handshake capture

Why: WEP encryption is vulnerable to statistical attacks that require capturing many unique IVs to recover the WEP key. The large number of unique IVs indicates preparation for a WEP cracking attack using a tool like aircrack-ng.
Q2
mediumFull explanation →

During a penetration test, an analyst runs the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. What is the PRIMARY purpose of this command?

A

Perform a de-authentication attack on the target AP

B

Capture the 4-way handshake for WPA cracking

C

Brute-force the WPS PIN to recover the Wi-Fi passphrase

Correct. Reaver performs a brute-force attack on the WPS PIN, exploiting the weak PIN-based authentication.

D

Scan for nearby access points and their BSSIDs

Why: Reaver is a tool designed to exploit the WPS PIN authentication mechanism. The command targets a specific BSSID to perform a brute-force attack on the WPS PIN, which can reveal the WPA/WPA2 passphrase if successful.
Q3
mediumFull explanation →

A cloud security engineer discovers that an S3 bucket named 'acme-backups' is accessible to anyone with the bucket URL. The bucket contains sensitive customer data. Which AWS shared responsibility model component does this misconfiguration primarily violate?

A

AWS is responsible for physical security of data centers

B

The customer is responsible for patching the S3 service

C

The customer is responsible for configuring access controls and permissions

Correct. S3 bucket policies and permissions are customer-managed security controls.

D

AWS is responsible for network infrastructure; the customer for data classification

Why: Under the AWS shared responsibility model, the customer is responsible for configuring S3 bucket policies and access controls. The misconfiguration is a customer-side issue, not an infrastructure vulnerability.
Q4
hardFull explanation →

An IoT device uses the MQTT protocol without any authentication or encryption. An attacker on the same network subscribes to all topics on the MQTT broker. Which of the following is the MOST effective immediate countermeasure?

A

Disable the MQTT broker entirely and switch to HTTP

B

Implement client authentication and enable TLS encryption

Correct. Enforcing authentication and TLS protects the MQTT communication from unauthorized access and sniffing.

C

Change the default topic names to obfuscated strings

D

Use a VPN for all IoT device communication

Why: MQTT without authentication and encryption can be secured by enabling TLS for transport encryption and requiring credentials for clients. This prevents unauthorized access and eavesdropping.
Q5
easyFull explanation →

Which cryptographic algorithm is classified as symmetric and uses a block cipher with a fixed block size of 128 bits, supporting key sizes of 128, 192, and 256 bits?

A

RC4

B

3DES

C

AES

Correct. AES is a symmetric block cipher with 128-bit blocks and variable key sizes.

D

RSA

Why: AES is a symmetric block cipher with a block size of 128 bits and supports key sizes of 128, 192, and 256 bits. It is the most widely used symmetric encryption standard.
Q6
mediumFull explanation →

A security analyst observes the following log entry on a web server: 'GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1'. This request appears to originate from a compromised web application. Which cloud attack technique is being attempted?

A

Server-Side Request Forgery (SSRF)

Correct. The request to the cloud metadata service is a classic SSRF attack to obtain instance credentials.

B

SQL Injection

C

Container escape

D

Cross-Site Scripting (XSS)

Why: The IP address 169.254.169.254 is the AWS instance metadata service endpoint. An attacker using a Server-Side Request Forgery (SSRF) vulnerability can force the server to request this URL and retrieve sensitive instance metadata, such as IAM credentials.

Want more Advanced Topics: Wireless, Cloud, IoT, Cryptography practice?

Practice this domain
9

Domain 9: Footprinting and Reconnaissance

All Footprinting and Reconnaissance questions
Q1
easyFull explanation →

A penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?

A

Query the Netcraft site for the domain

B

Perform a WHOIS lookup against the domain

WHOIS provides IP range and ISP info.

C

Use nslookup to query the authoritative name servers

D

Run a traceroute to the target web server

Why: A WHOIS lookup against the target domain returns registration details that include the organization's network range (via the 'NetRange' or 'CIDR' fields) and the ISP (via the 'OrgName' or 'descr' fields). This directly maps to the footprinting goal of identifying the target's IP address block and upstream provider, as defined in RFC 3912 and common WHOIS database schemas.
Q2
mediumFull explanation →

During the reconnaissance phase, a tester discovers that the target company's email server is configured to automatically respond to delivery status notifications (DSNs). Which type of attack could this information facilitate?

A

DNS cache poisoning

B

Email enumeration

DSN responses can confirm valid addresses.

C

Man-in-the-middle attack

D

Phishing attack

Why: Email servers that automatically respond to Delivery Status Notifications (DSNs) as defined in RFC 1891/3464 can be exploited for email enumeration. By sending a message to a non-existent address, the DSN response will indicate the address is invalid, while a valid address may generate no DSN or a different response. This allows an attacker to systematically verify valid email addresses on the target domain without triggering a full bounce-back to the original sender.
Q3
hardFull explanation →

A security analyst is tasked with performing passive reconnaissance on a target organization. Which of the following is the BEST approach to gather information about the target's technology stack without directly interacting with the target's systems?

A

Engage in social engineering via phone calls

B

Use Shodan to search for target infrastructure

Shodan indexes public data passively.

C

Initiate a DNS zone transfer request

D

Perform a port scan with Nmap

Why: Shodan is a search engine that indexes banners from internet-connected devices, allowing an analyst to discover a target's exposed services, open ports, and technology stack (e.g., web servers, SSH versions, IoT devices) without sending any packets to the target's systems. This makes it a purely passive reconnaissance technique, as it relies on Shodan's pre-collected data rather than direct interaction.
Q4
easyFull explanation →

An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?

A

Run a traceroute to the main domain

B

Check the WHOIS record for the domain

C

Use the site: operator in search engines

Search engines index subdomains.

D

Perform a reverse DNS lookup on the target IP range

Why: The `site:` operator in search engines (e.g., Google) allows an ethical hacker to enumerate publicly indexed subdomains of a target domain by querying `site:*.targetdomain.com`. This technique leverages the search engine's crawl data to discover subdomains that are publicly accessible but may not be linked from the main site, making it the most effective method for passive, public-information-only reconnaissance.
Q5
mediumFull explanation →

During footprinting, a tester finds that the target's DNS server allows recursive queries from the internet. What is the MOST significant security implication of this finding?

A

Unauthorized zone transfers are possible

B

The DNS server can be used for denial of service (amplification)

C

The DNS cache can be poisoned easily

D

The DNS server can be used for denial of service

Open recursion enables amplification DDoS.

Why: Option D is correct because a DNS server that allows recursive queries from the internet can be exploited in a DNS amplification attack, a type of denial-of-service (DoS) attack. The attacker sends a small query with a spoofed source IP (the victim's IP) to the open recursive resolver, which responds with a much larger response (e.g., using the ANY record type), amplifying traffic up to 50-100 times. This floods the victim's network, making the DNS server an unwitting participant in the attack.
Q6
mediumFull explanation →

Which TWO of the following are examples of passive footprinting techniques? (Select exactly 2.)

A

Performing a ping sweep on the target network

B

Conducting a port scan with Nmap

C

Using Google dorking to find exposed documents

Uses search engine index, passive.

D

Examining job postings for technology clues

Public info gathering, no direct interaction.

E

Brute forcing subdomains via DNS queries

Why: Option C is correct because Google dorking involves using advanced search operators (e.g., filetype:, intitle:) to discover publicly accessible information without directly interacting with the target's systems. This is a passive footprinting technique as it relies on publicly indexed data from search engines, not on sending packets to the target's network.

Want more Footprinting and Reconnaissance practice?

Practice this domain
10

Domain 10: Network and Web Application Attacks

All Network and Web Application Attacks questions
Q1
mediumFull explanation →

During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?

A

SQL Injection

B

Cross-Site Request Forgery (CSRF)

C

Cross-Site Scripting (XSS)

Reflected XSS is the direct result of unsanitized input displayed in the browser.

D

Command Injection

Why: Option C is correct because the scenario describes a classic reflected Cross-Site Scripting (XSS) vulnerability. The application accepts user input and displays it directly in the browser without sanitization, allowing an attacker to inject malicious JavaScript that executes in the victim's browser. This is the defining characteristic of XSS, not SQL injection or command injection, which target server-side interpreters.
Q2
hardFull explanation →

As a network defender, you notice an unusually high number of incomplete TCP three-way handshakes from a single external IP to multiple internal hosts. What is the most likely attack taking place?

A

UDP flood

B

SYN flood

SYN flood sends many SYN packets without completing handshake.

C

ARP spoofing

D

ICMP flood

Why: A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to target hosts without completing the handshake (i.e., not sending the final ACK). This leaves the target with half-open connections, exhausting its connection table and denying service to legitimate traffic. The observation of incomplete handshakes from a single external IP to multiple internal hosts is a classic signature of a SYN flood.
Q3
easyFull explanation →

A security analyst is configuring a web application firewall (WAF) to protect against SQL injection. Which HTTP parameter location should the analyst focus on to block malicious SQL queries?

A

Query string parameters

Query string parameters are a common vector for SQL injection.

B

Request body (POST data)

C

Cookie headers

D

User-Agent header

Why: SQL injection attacks commonly target query string parameters because user input in URLs is often directly concatenated into SQL queries without proper sanitization. A WAF configured to inspect and filter query string parameters can block malicious SQL payloads before they reach the database server, as these parameters are the most frequent vector for such attacks.
Q4
hardFull explanation →

You are performing a web application security assessment and discover that the application uses a hidden form field named 'price' to store the product price. The price is submitted with the form and used to process payments. Which attack would allow you to purchase an item for a lower price?

A

Directory traversal

B

Parameter tampering

Parameter tampering modifies hidden fields or URL parameters.

C

Cross-Site Scripting (XSS)

D

Cross-Site Request Forgery (CSRF)

Why: Parameter tampering is the correct answer because the 'price' field is stored in a hidden form field, which is client-side data that can be modified before submission. By intercepting the HTTP request (e.g., using a proxy like Burp Suite) and changing the 'price' value to a lower amount, the attacker can purchase the item at a reduced cost. This exploits the lack of server-side validation of the price parameter.
Q5
mediumFull explanation →

A network administrator wants to prevent an attacker from using a network sniffer to capture traffic between a client and a web server. Which protocol should be enforced to encrypt all communication?

A

SNMP

B

FTP

C

HTTPS

HTTPS encrypts data with TLS.

D

HTTP

Why: HTTPS (HTTP over TLS, RFC 2818) encrypts all communication between a client and a web server using TLS/SSL, preventing a network sniffer from capturing plaintext data such as cookies, URLs, or form submissions. This ensures confidentiality and integrity of the web traffic, directly countering passive eavesdropping attacks.
Q6
easyFull explanation →

Which TWO of the following are common web application vulnerabilities that allow an attacker to inject malicious code? (Select exactly 2)

A

Brute Force

B

Cross-Site Scripting (XSS)

XSS injects client-side scripts.

C

Path Traversal

D

SQL Injection

SQL injection injects SQL queries.

E

Cross-Site Request Forgery (CSRF)

Why: Cross-Site Scripting (XSS) is a common web application vulnerability that allows an attacker to inject malicious client-side scripts (typically JavaScript) into web pages viewed by other users. This occurs when an application includes untrusted data in a web page without proper validation or escaping, enabling the attacker to execute arbitrary code in the victim's browser within the context of the trusted site.

Want more Network and Web Application Attacks practice?

Practice this domain
11

Domain 11: Wireless, IoT and Cloud Security

All Wireless, IoT and Cloud Security questions
Q1
easyFull explanation →

A security analyst discovers that an IoT device in a smart building is periodically sending small DNS queries to an external domain known for command-and-control activity. Which security control should be implemented to detect and block such traffic without disrupting legitimate operations?

A

Install a host-based firewall on the IoT device to restrict outbound traffic.

B

Deploy an intrusion detection system (IDS) on the network to alert on suspicious DNS queries.

C

Configure egress filtering on the firewall to block outbound connections to known malicious domains.

Egress filtering prevents malicious outbound traffic.

D

Disable DNS resolution on the IoT device to prevent any external communication.

Why: Option C is correct because egress filtering on the firewall can block outbound DNS queries to known malicious domains by using a blocklist or threat intelligence feed, preventing command-and-control (C2) communication without affecting legitimate traffic to other domains. This control operates at the network perimeter, inspecting DNS requests against a reputation database and dropping matches, which is the most effective way to stop C2 traffic while allowing normal operations.
Q2
mediumFull explanation →

A cloud security engineer notices that an S3 bucket containing sensitive customer data is configured with a bucket policy that allows 'Principal': '*' and 'Action': 's3:GetObject'. The bucket is not publicly accessible via the AWS Management Console, but the engineer is concerned about data exposure. What is the most likely risk?

A

Anyone on the internet can read objects in the bucket if they know the object URL.

Public read access is granted to all objects.

B

The data is encrypted at rest, so no exposure risk exists.

C

The bucket policy is misconfigured but only affects objects with server-side encryption.

D

Only authenticated AWS users can access the bucket, so the risk is limited.

Why: The bucket policy allows 'Principal': '*' with 'Action': 's3:GetObject', which grants anonymous read access to any object in the bucket. Even if the bucket is not publicly listed in the AWS Management Console, anyone on the internet who knows or guesses the object URL can retrieve the object directly via HTTP/HTTPS. This is a classic data exposure risk because the policy overrides any console-level restrictions.
Q3
hardFull explanation →

During a penetration test of a corporate wireless network, you capture a WPA2 handshake and successfully recover the PSK. Later, you notice that some clients are using WPA3-Personal. Which attack could be used to downgrade a WPA3 client to WPA2 and capture its handshake?

A

Perform a PMKID attack on the WPA3 client to capture the handshake.

B

Use a WPS PIN brute-force attack against the WPA3 client.

C

Send deauthentication packets to the WPA3 client and capture the reconnection handshake.

D

Set up a rogue access point broadcasting a WPA2 network with the same SSID, forcing the client to reconnect using WPA2.

Rogue AP can entice client to downgrade.

Why: Option D is correct because WPA3 clients are designed to fall back to WPA2 when the access point only supports WPA2. By setting up a rogue AP with the same SSID but configured for WPA2, the client will attempt to connect using WPA2, allowing you to capture the 4-way handshake and potentially recover the PSK if the same password is used for both security modes.
Q4
easyFull explanation →

A company deploys IoT sensors in a remote facility with limited bandwidth. The sensors send small data packets every few seconds. Which wireless technology is most appropriate for this application?

A

4G LTE

B

Wi-Fi 6

C

Bluetooth 5

D

LoRaWAN

Optimized for low-power, long-range IoT.

Why: LoRaWAN is designed for low-power, long-range communication with small data payloads, making it ideal for IoT sensors in remote facilities with limited bandwidth. It operates in sub-GHz ISM bands (e.g., 868 MHz or 915 MHz) and supports data rates from 0.3 kbps to 50 kbps, perfectly matching the requirement of sending small packets every few seconds over kilometers.
Q5
mediumFull explanation →

A security analyst detects multiple failed authentication attempts on a cloud-based SSH server from a single IP address. The analyst implements a rule to block that IP. However, the attacks continue from different IPs. Which additional control should be implemented to reduce the attack surface?

A

Disable password authentication and use SSH key-based authentication.

Keys are resistant to brute-force.

B

Install fail2ban to automatically block IPs after failures.

C

Implement rate-limiting on SSH connections per IP.

D

Change the SSH port to a non-standard port.

Why: Disabling password authentication and enforcing SSH key-based authentication eliminates the attack vector of brute-forcing passwords entirely. Since the attacker is using multiple IPs to perform credential stuffing, blocking individual IPs (as done initially) or using tools like fail2ban only treats the symptom, not the root cause. Key-based authentication uses asymmetric cryptography (RSA/ECDSA/Ed25519) and is not susceptible to online guessing attacks, thus permanently reducing the attack surface.
Q6
hardFull explanation →

During a wireless penetration test, you discover that the target network uses WPA2-Enterprise with PEAP-MSCHAPv2. You capture the authentication traffic of a legitimate user. Which attack can you perform to recover the user's domain credentials?

A

Decrypt the traffic using the captured handshake to get the credentials.

B

WPS PIN brute-force to recover the PSK.

C

PMKID attack to crack the pre-shared key.

D

Set up a rogue RADIUS server to capture the challenge-response and perform an offline brute-force attack.

Rogue RADIUS can capture hashes for cracking.

Why: In WPA2-Enterprise with PEAP-MSCHAPv2, the authentication is based on a challenge-response mechanism between the client and a RADIUS server. By setting up a rogue RADIUS server, you can capture the challenge and the client's encrypted response, then perform an offline brute-force attack against the MSCHAPv2 hash to recover the user's domain credentials. This works because the MSCHAPv2 response is derived from the user's password and can be cracked offline.

Want more Wireless, IoT and Cloud Security practice?

Practice this domain
12

Domain 12: Cryptography and Malware Analysis

All Cryptography and Malware Analysis questions
Q1
easyFull explanation →

A security analyst receives an alert about a suspicious file hash. The analyst wants to check if the file is known malware by querying an online database of malware signatures. Which tool should the analyst use?

A

Nmap

B

John the Ripper

C

VirusTotal

VirusTotal accepts file hashes and returns detection results from many AV engines.

D

Wireshark

Why: VirusTotal is a free online service that aggregates multiple antivirus engines and malware detection tools, allowing users to upload files or query file hashes against a vast database of known malware signatures. This directly matches the requirement to check if a file is known malware by querying an online database.
Q2
mediumFull explanation →

During a penetration test, an ethical hacker finds that a web application transmits sensitive data in plaintext over HTTPS. Which of the following best describes this security issue?

A

Weak TLS cipher suite

B

Lack of application-layer encryption

The data is encrypted in transit but not at rest or before being sent; the application does not encrypt sensitive fields.

C

SSL stripping attack

D

Man-in-the-middle attack

Why: The core issue is that the web application transmits sensitive data in plaintext over HTTPS, meaning the data is encrypted in transit by TLS but not encrypted at the application layer. This leaves the data vulnerable to exposure if the TLS termination point (e.g., a reverse proxy or load balancer) is compromised or if logs capture the plaintext payload. Application-layer encryption (e.g., encrypting the data before sending it over HTTPS) ensures end-to-end confidentiality, even if the TLS channel is broken or inspected.
Q3
hardFull explanation →

A company's internal PKI uses an offline root CA and an online issuing CA. A security engineer needs to revoke a compromised certificate issued by the online CA. Which CRL distribution point should the engineer update?

A

The CRL published by the certificate authority that signed the issuing CA's certificate

B

The CRL published by the intermediate CA, if any

C

The CRL published by the online issuing CA

The issuing CA is responsible for revoking certificates it issued.

D

The CRL published by the offline root CA

Why: The compromised certificate was issued by the online issuing CA, so only that CA has the authority to revoke it and publish the updated CRL. Clients validating the certificate will check the CRL distribution point (CDP) embedded in the certificate, which points to the issuing CA's CRL. Updating the CRL on the online issuing CA ensures that revocation status is immediately available to relying parties.
Q4
easyFull explanation →

A security analyst suspects that a user's machine is infected with a keylogger. Which of the following is the most effective method to detect a hardware keylogger?

A

Check running processes for suspicious entries

B

Physically inspect the connection between the keyboard and the computer

Hardware keyloggers are physical devices inserted inline.

C

Review USB device history in Event Viewer

D

Run an antivirus scan

Why: A hardware keylogger is a physical device inserted between the keyboard and the computer, typically at the PS/2 or USB connector. Unlike software-based keyloggers, it operates independently of the operating system, so it cannot be detected by process lists, event logs, or antivirus scans. The only reliable detection method is a physical inspection of the keyboard cable and connection point for any unusual inline devices.
Q5
mediumFull explanation →

An ethical hacker is analyzing a piece of malware that uses a custom encryption algorithm. The malware sample contains a hardcoded key that is 16 bytes long. The analyst observes that the encrypted data is the same length as the plaintext. Which encryption mode is most likely being used?

A

GCM

B

CFB

C

ECB

ECB encrypts each block independently; no IV, no expansion beyond padding.

D

CBC

Why: ECB (Electronic Codebook) mode encrypts each block of plaintext independently using the same key, so the ciphertext length equals the plaintext length (assuming no padding is needed for exact block sizes). The hardcoded 16-byte key and identical input/output lengths strongly suggest ECB, as other modes typically add an IV or authentication tag, altering the output length.
Q6
hardFull explanation →

During a forensic investigation, an analyst finds that a malware sample uses a technique to detect if it is running in a sandbox by checking the number of CPU cores. The malware terminates execution if the core count is less than 2. Which anti-analysis technique is this?

A

Code obfuscation

B

Anti-debugging

C

Anti-VM / sandbox evasion

Checking for low resource counts is a common sandbox evasion technique.

D

Packing

Why: Option C is correct because checking the number of CPU cores is a classic anti-VM/sandbox evasion technique. Virtual machines and sandboxes often allocate minimal resources (e.g., a single core) to remain lightweight, so malware uses this check to detect an analysis environment and terminate execution to avoid detection.

Want more Cryptography and Malware Analysis practice?

Practice this domain
13

Domain 13: Social Engineering and Physical Security

All Social Engineering and Physical Security questions
Q1
mediumFull explanation →

A penetration tester is assessing an organization's physical security. The tester wants to gain unauthorized access to a secured server room that uses a biometric fingerprint scanner. Which of the following techniques would be MOST effective for bypassing the biometric scanner?

A

Shoulder surfing the authorized user's fingerprint pattern

B

Picking the lock on the server room door

C

Using a gelatin mold of an authorized user's fingerprint

Gelatin molds can create replicas of fingerprints that may be accepted by some scanners.

D

Tailgating behind an authorized employee

Why: Option C is correct because gelatin molds can replicate the exact ridge and valley patterns of a fingerprint, which many capacitive and optical fingerprint scanners read. This bypasses the biometric authentication without requiring the user's cooperation, making it the most direct method to defeat the scanner itself.
Q2
hardFull explanation →

During a social engineering engagement, a tester calls the help desk posing as an employee from the IT department. The tester claims to be working on a critical system update and needs the employee's password to proceed. Which type of social engineering attack is being executed?

A

Quid pro quo

B

Baiting

C

Pretexting

Pretexting involves creating a false identity or scenario to extract information.

D

Phishing

Why: Pretexting involves creating a fabricated scenario (pretext) to manipulate a target into divulging information. In this case, the tester falsely claims to be from the IT department working on a critical system update, which is a classic pretext to gain trust and obtain the employee's password. This differs from other social engineering types because it relies on a constructed identity and false narrative rather than a technical lure or direct exchange.
Q3
easyFull explanation →

Which of the following is the BEST defense against tailgating attacks in a secure facility?

A

Hiring security guards

B

Reviewing keycard access logs

C

Installing CCTV cameras

D

Implementing a mantrap at the entrance

Mantraps physically enforce one-person entry, preventing tailgating.

Why: A mantrap is a physical security access control system consisting of two interlocking doors that create a small vestibule. Only one door can be opened at a time, and authentication (e.g., keycard + biometric) is required to pass through both. This design physically prevents an unauthorized person from following an authorized person into the facility, directly mitigating tailgating attacks by enforcing strict one-person-per-authentication entry.
Q4
mediumFull explanation →

An employee receives an email that appears to be from the CEO, asking the employee to urgently wire funds to a vendor. The email address is slightly misspelled. What type of social engineering attack is this?

A

Pharming

B

Spear phishing

C

Whaling

Whaling targets senior executives or impersonates them.

D

Vishing

Why: This is a whaling attack because it specifically targets a high-profile individual (the CEO) to deceive another employee into performing a financial action. The slight misspelling of the email address is a classic whaling technique, as the attacker impersonates a senior executive to exploit authority and urgency. Unlike generic phishing, whaling focuses on C-level executives or decision-makers.
Q5
mediumFull explanation →

Which TWO of the following are effective methods to prevent dumpster diving attacks? (Choose two.)

A

Storing all data on encrypted digital media only

B

Shredding sensitive documents before disposal

Shredding renders documents unreadable.

C

Using locked bins for discarded materials

Locked bins restrict physical access.

D

Placing documents in recycling bins

E

Burning all discarded paper documents

Why: Shredding sensitive documents before disposal (Option B) is effective because it physically destroys the information, making it impossible to reconstruct from discarded paper. This directly counters dumpster diving, where attackers retrieve documents to extract confidential data like passwords or network diagrams.
Q6
hardFull explanation →

Which THREE of the following are common indicators of a social engineering attack? (Choose three.)

A

The communication includes verifiable contact information

B

The sender uses a generic greeting like 'Dear Customer'

C

The communication creates a sense of urgency

Attackers often pressure targets to act quickly.

D

The message contains spelling or grammatical errors

Errors can indicate a fake message.

E

The request comes from someone claiming to be in authority

Impersonating authority figures is common.

Why: Option C is correct because social engineers frequently fabricate a sense of urgency to bypass the victim's rational decision-making. By claiming an immediate deadline or threat (e.g., 'Your account will be locked in 24 hours'), the attacker pressures the target into acting without verifying the request, a tactic rooted in the psychological principle of scarcity.

Want more Social Engineering and Physical Security practice?

Practice this domain

Frequently asked questions

How many questions are on the CEH exam?

The CEH exam has 125 questions and must be completed in 240 minutes. The passing score is 700/1000.

What types of questions appear on the CEH exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are CEH questions organised by domain?

The exam covers 13 domains: Footprinting, Reconnaissance and Scanning, Enumeration and System Hacking, Malware, Social Engineering and Network Attacks, Web Application and Injection Attacks, Introduction to Ethical Hacking, Scanning Networks and Enumeration, Vulnerability Analysis and System Hacking, Advanced Topics: Wireless, Cloud, IoT, Cryptography, Footprinting and Reconnaissance, Network and Web Application Attacks, Wireless, IoT and Cloud Security, Cryptography and Malware Analysis, Social Engineering and Physical Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CEH exam questions?

No. These are original exam-style practice questions written against the official EC-Council CEH exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 125 CEH questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CEH questionsTake a timed practice test