Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCEHFlashcards
Free — No Signup RequiredEC-Council· Updated 2026

CEH Flashcards — Free Certified Ethical Hacker CEH Study Cards

Reinforce CEH concepts with active-recall study cards covering all 13 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.

1020+ study cards13 domains coveredActive recall methodFull explanations included
Start 30-card session50-card shuffle
Exam OverviewPractice TestMock ExamStudy GuideFlashcards

Study Sessions

CEH Flashcards

Pick a session size:

⚡Quick 10📝20 Cards🎯30 Cards📊50 Cards💪100 Cards
1,020+ cards · All free

Domains

Footprinting, Reconnaissance and Scanning
Enumeration and System Hacking
Malware, Social Engineering and Network Attacks
Web Application and Injection Attacks
Introduction to Ethical Hacking
Scanning Networks and Enumeration

How to use CEH flashcards effectively

Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For CEH preparation, this means flashcards are one of the highest-return study tools available.

Attempt recall first

Read the CEH question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.

Review wrong cards again

When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.

Study by domain

Group your CEH flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real CEH exam requires.

Short sessions beat marathon reviews

20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass CEH.

CEH flashcard preview

Sample cards from the CEH flashcard bank. Read the question, think of the answer, then read the explanation below.

1

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

Footprinting, Reconnaissance and Scanning

Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting

Option B is correct because the `-sS` flag initiates a TCP SYN stealth scan, `-sV` enables service version detection, and `-O` attempts OS fingerprinting. The `-p 22,80,443,3389` limits the scan to those four ports, and the target `192.168.1.0/24` scans the entire Class C subnet. This combination performs a half-open scan on the specified ports, probes for application versions, and tries to identify the operating system of each live host.

2

A security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?

Enumeration and System Hacking

nbtstat

The nbtstat command is the correct built-in Windows tool for enumerating NetBIOS names because it directly queries and displays NetBIOS over TCP/IP (NetBT) statistics, name tables, and caches. NetBIOS name enumeration relies on the NBT protocol (RFC 1001/1002), and nbtstat -a or -A retrieves the remote machine's NetBIOS name table, which includes service types like file sharing, messaging, and workstation services.

3

A security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?

Malware, Social Engineering and Network Attacks

Smurf attack

The Smurf attack is a distributed denial-of-service (DDoS) attack that exploits ICMP by sending a large number of ICMP Echo Request packets with a spoofed source IP (the victim's IP) to a network's broadcast address. All devices on that network then respond with ICMP Echo Reply packets to the victim, overwhelming it. The scenario describes varied source IPs (the responding devices) and a single destination IP (the victim), which is the hallmark of a Smurf attack.

4

A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?

Web Application and Injection Attacks

Time-based SQL injection

Time-based SQL injection involves injecting SQL code that causes the database to pause if a condition is true, allowing an attacker to infer information based on response times. The observed difference in response times for valid vs. invalid usernames is characteristic of this technique.

5

A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?

Introduction to Ethical Hacking

SYN scan

C is correct because a SYN scan (also known as a half-open scan) sends TCP SYN packets to target ports and does not complete the three-way handshake. If no SYN-ACK is returned, it indicates the port is filtered or the host is not responding, which matches the scenario where the attacker receives no SYN-ACK responses. This scan is stealthier than a full TCP connect scan because it never establishes a full connection.

6

During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?

Scanning Networks and Enumeration

A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.

A stateful firewall tracks the state of network connections. When you browse to the server, your browser initiates an outbound TCP connection, and the firewall allows the return SYN-ACK packets as part of the established session. However, a standalone TCP SYN scan sends unsolicited SYN packets to port 80, which the firewall sees as a new inbound connection attempt and blocks, preventing the server from responding. The server's ICMP echo reply is allowed because ICMP is stateless and not typically filtered by the same rules.

7

A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?

Vulnerability Analysis and System Hacking

enum4linux

enum4linux is a tool specifically designed to enumerate information from Windows and Samba systems via SMB. It leverages the SMB protocol to extract users, shares, OS details, and other system information from a target with port 445 open, making it the correct choice for this scenario.

8

A security analyst captures a large number of unique initialization vectors (IVs) from a wireless network using airodump-ng. Which attack are they MOST likely preparing to execute?

Advanced Topics: Wireless, Cloud, IoT, Cryptography

WEP key recovery using aircrack-ng

WEP encryption is vulnerable to statistical attacks that require capturing many unique IVs to recover the WEP key. The large number of unique IVs indicates preparation for a WEP cracking attack using a tool like aircrack-ng.

9

A penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?

Footprinting and Reconnaissance

Perform a WHOIS lookup against the domain

A WHOIS lookup against the target domain returns registration details that include the organization's network range (via the 'NetRange' or 'CIDR' fields) and the ISP (via the 'OrgName' or 'descr' fields). This directly maps to the footprinting goal of identifying the target's IP address block and upstream provider, as defined in RFC 3912 and common WHOIS database schemas.

10

During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?

Network and Web Application Attacks

Cross-Site Scripting (XSS)

Option C is correct because the scenario describes a classic reflected Cross-Site Scripting (XSS) vulnerability. The application accepts user input and displays it directly in the browser without sanitization, allowing an attacker to inject malicious JavaScript that executes in the victim's browser. This is the defining characteristic of XSS, not SQL injection or command injection, which target server-side interpreters.

11

A security analyst discovers that an IoT device in a smart building is periodically sending small DNS queries to an external domain known for command-and-control activity. Which security control should be implemented to detect and block such traffic without disrupting legitimate operations?

Wireless, IoT and Cloud Security

Configure egress filtering on the firewall to block outbound connections to known malicious domains.

Option C is correct because egress filtering on the firewall can block outbound DNS queries to known malicious domains by using a blocklist or threat intelligence feed, preventing command-and-control (C2) communication without affecting legitimate traffic to other domains. This control operates at the network perimeter, inspecting DNS requests against a reputation database and dropping matches, which is the most effective way to stop C2 traffic while allowing normal operations.

12

A security analyst receives an alert about a suspicious file hash. The analyst wants to check if the file is known malware by querying an online database of malware signatures. Which tool should the analyst use?

Cryptography and Malware Analysis

VirusTotal

VirusTotal is a free online service that aggregates multiple antivirus engines and malware detection tools, allowing users to upload files or query file hashes against a vast database of known malware signatures. This directly matches the requirement to check if a file is known malware by querying an online database.

13

A penetration tester is assessing an organization's physical security. The tester wants to gain unauthorized access to a secured server room that uses a biometric fingerprint scanner. Which of the following techniques would be MOST effective for bypassing the biometric scanner?

Social Engineering and Physical Security

Using a gelatin mold of an authorized user's fingerprint

Option C is correct because gelatin molds can replicate the exact ridge and valley patterns of a fingerprint, which many capacitive and optical fingerprint scanners read. This bypasses the biometric authentication without requiring the user's cooperation, making it the most direct method to defeat the scanner itself.

Study all 1020+ CEH cards

CEH flashcards by domain

The CEH flashcard bank covers all 13 official blueprint domains published by EC-Council. Cards are distributed proportionally, so domains with higher exam weight have more cards.

Domain Coverage

Footprinting, Reconnaissance and Scanning

~1 cards

Enumeration and System Hacking

~1 cards

Malware, Social Engineering and Network Attacks

~1 cards

Web Application and Injection Attacks

~1 cards

Introduction to Ethical Hacking

~1 cards

Scanning Networks and Enumeration

~1 cards

Vulnerability Analysis and System Hacking

~1 cards

Advanced Topics: Wireless, Cloud, IoT, Cryptography

~1 cards

Footprinting and Reconnaissance

~1 cards

Network and Web Application Attacks

~1 cards

Wireless, IoT and Cloud Security

~1 cards

Cryptography and Malware Analysis

~1 cards

Social Engineering and Physical Security

~1 cards

Flashcards vs practice tests: which is better for CEH?

Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:

Flashcards — concept retention

Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that CEH questions assume you know.

Best in: weeks 1–3

Practice tests — application

Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.CEH questions test scenario reasoning — not just recall — so practice tests are essential.

Best in: weeks 3–6

The most effective CEH study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.

CEH flashcards — frequently asked questions

Are the CEH flashcards free?

Yes. Courseiva provides free CEH flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.

How many CEH flashcards are on Courseiva?

Courseiva has 1020+ original CEH flashcards across all 13 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official EC-Council exam objectives.

How are Courseiva flashcards different from Anki or Quizlet?

Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official CEH exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.

Can I use CEH flashcards offline?

Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.

Free forever · No credit card required

Track your CEH flashcard progress

Save your results, see which domains need more work, and get spaced repetition recommendations — all free.

Sign Up Free

Free forever · Every certification included

Start Studying

⚡Quick 10 cards📝20-card session🎯30-card session📊50-card shuffle💪100-card marathon

Also Study With

Practice TestMock ExamStudy GuideExam Domains

Related Flashcards

PT0-002CS0-003SY0-701200-201

Related Flashcard Sets

PT0-002

CompTIA PenTest+

CS0-003

CompTIA CySA+

SY0-701

CompTIA Security+

200-201

CyberOps Associate

Browse all certifications →