Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Enumeration and System Hacking practice sets

CEH Enumeration and System Hacking • Complete Question Bank

CEH Enumeration and System Hacking — All Questions With Answers

Complete CEH Enumeration and System Hacking question bank — all 0 questions with answers and detailed explanations.

189
Questions
Free
No signup
Certifications/CEH/Practice Test/Enumeration and System Hacking/All Questions
Question 1easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst wants to enumerate NetBIOS names on a Windows network. Which built-in Windows command-line tool should they use?

Question 2easymultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BEST next step according to the CEH system hacking methodology (CHPSET)?

Question 3mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst observes a suspicious SUID binary /usr/bin/evil in a Linux system. Which type of vulnerability does this indicate, and what is the MOST likely objective of an attacker who placed it?

Question 4mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester runs the following command against a target Linux server: smbclient -L 192.168.1.10 -N. The output lists several shares including 'Admin$', 'C$', and 'IPC$'. Which of the following is the MOST likely next step for further enumeration?

Question 5mediummultiple choice
Read the full VRF explanation →

An attacker uses the VRFY command on an SMTP server to check the existence of email addresses. The server responds with '250 OK' for 'admin@company.com' and '550 No such user' for 'fake@company.com'. Which SMTP enumeration technique is being used?

Question 6mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst finds multiple failed login attempts in the system logs, followed by a successful login from an unusual IP address. The attacker then deleted the log entries for that session. Which step of the system hacking methodology (CHPSET) does the log deletion represent?

Question 7mediummultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following tools is specifically designed to perform password cracking using rainbow tables?

Question 8mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you successfully execute a privilege escalation attack by abusing a service running with SYSTEM privileges on a Windows machine. Which of the following techniques is MOST likely being used?

Question 9mediummultiple choice
Read the full network assurance explanation →

A penetration tester executes the command: snmpwalk -c public -v2c 192.168.1.50. Which of the following BEST describes the purpose of this command?

Question 10hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst is investigating a compromised Linux system. The /var/log/auth.log file appears to be truncated, and the timestamps on several binaries in /bin/ have been modified. Which of the following tools or techniques is the attacker MOST likely using to cover tracks?

Question 11hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you discover an LDAP server on port 389 that allows anonymous binds. Which of the following enumeration techniques would provide the MOST comprehensive information about the directory structure?

Question 12hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker has gained access to a Windows server and wants to crack the password hashes extracted from the SAM file. The attacker knows the passwords are complex but wants to maximize speed. Which tool is BEST suited for high-speed password cracking using GPU acceleration?

Question 13mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are valid SMTP enumeration commands that can be used to discover valid email addresses? (Select 2)

Question 14easymulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are common tools used for SMB enumeration? (Select 2)

Question 15hardmulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are password cracking techniques that can be used with Hashcat? (Select 3)

Question 16easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs `nbtstat -A 192.168.1.10` and receives output showing a table with names like COMPUTER<00>, COMPUTER<20>, and DOMAIN<1B>. What type of information has the analyst gathered?

Question 17mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you execute the command `enum4linux -a 192.168.1.20`. The output reveals that the 'backup' account has a blank password and belongs to the 'Domain Admins' group. Which phase of the CHPSET methodology does identifying this vulnerability belong to?

Question 18hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A forensic analyst examining a compromised Linux system finds the following entry in /var/log/auth.log: `Mar 15 10:23:45 server sshd[1234]: Accepted password for root from 10.0.0.5 port 54321 ssh2`. However, the analyst also notices that /var/log/auth.log has been truncated and the /etc/ssh/sshd_config file contains `LogLevel QUIET`. Which attack phase is most likely being obscured?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

An attacker has gained initial access to a Windows system and wants to escalate privileges to SYSTEM. They find that the SeImpersonatePrivilege is enabled for their current user. Which tool or technique is specifically designed to leverage this privilege for elevation?

Question 20easymultiple choice
Read the full Enumeration and System Hacking explanation →

A system administrator wants to enumerate all users in an Active Directory domain. Which protocol and query technique should they use?

Question 21mediummultiple choice
Read the full network assurance explanation →

A penetration tester runs `snmpwalk -c public -v2c 192.168.1.50 1.3.6.1.2.1.1` and receives a list of system descriptions, uptime, and contact information. Which type of information is the tester primarily gathering?

Question 22mediummultiple choice
Read the full VRF explanation →

During a penetration test, you run `smtp-user-enum -M VRFY -U users.txt -t 10.0.0.10` and receive responses '252 2.5.2 User <username>' for some users and '550 5.1.1 User unknown' for others. What does this indicate?

Question 23hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker has obtained password hashes from a Windows system. They plan to use rainbow tables to crack them. Which tool would be most appropriate for generating and using rainbow tables?

Question 24easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following tools is specifically used to enumerate SMB shares and retrieve file listings from Windows systems?

Question 25mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security administrator notices repeated failed login attempts from a single IP address targeting the SSH service. The attempts use common usernames (root, admin, test) and a list of passwords from a dictionary. What type of password attack is being conducted?

Question 26hardmultiple choice
Read the full NAT/PAT explanation →

A Linux system has a script named 'backup' owned by root with the SUID bit set and world-executable permissions. A standard user executes the script and discovers it runs a command that reads /etc/shadow and writes output to a world-readable file. What is the most likely intended exploitation path?

Question 27mediummultiple choice
Read the full Enumeration and System Hacking explanation →

An incident responder finds that the Windows Event Logs on a compromised server have been cleared, and the Security log shows gaps in coverage. Additionally, a rootkit is suspected. Which phase of the hacking methodology does the clearing of logs represent?

Question 28easymulti select
Read the full Enumeration and System Hacking explanation →

Which TWO tools can be used to enumerate SMB shares and users on a Windows target? (Choose two.)

Question 29mediummulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are valid techniques in the system hacking methodology (CHPSET)? (Choose three.)

Question 30hardmulti select
Read the full Enumeration and System Hacking explanation →

A penetration tester obtains password hashes from a Windows system. Which TWO methods would be most efficient for cracking NTLM hashes offline? (Choose two.)

Question 31easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs 'nbtstat -A 192.168.1.10' and receives a table showing the machine name and a list of names registered. Which service is being enumerated?

Question 32easymultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you need to enumerate SMB shares on a Windows target. Which of the following tools is specifically designed for this purpose?

Question 33easymultiple choice
Read the full network assurance explanation →

Which SNMP community string is typically used for read-only access by default on many devices?

Question 34mediummultiple choice
Read the full VRF explanation →

An attacker attempts to enumerate valid email users by connecting to an SMTP server and issuing the following commands: EHLO example.com, VRFY root, VRFY admin, VRFY user1. Which SMTP enumeration technique is being used?

Question 35mediummultiple choice
Read the full network assurance explanation →

A tester runs 'snmpwalk -v2c -c public 192.168.1.1' and receives a large amount of system information. What does this command do?

Question 36mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you gain access to a Linux server as a low-privileged user. Which of the following is an effective technique to escalate privileges by exploiting misconfigured file permissions?

Question 37mediummultiple choice
Read the full Enumeration and System Hacking explanation →

An ethical hacker needs to crack a set of NTLM hashes obtained from a Windows system. Which tool would be MOST efficient for performing a dictionary attack with hybrid rules?

Question 38mediummultiple choice
Read the full Enumeration and System Hacking explanation →

After successfully exploiting a system, an attacker uses the command 'wevtutil cl system' on a Windows target. What is the MOST likely purpose of this command?

Question 39mediummultiple choice
Read the full Enumeration and System Hacking explanation →

Which phase of the system hacking methodology (CHPSET) involves hiding files from the operating system using techniques such as rootkits or steganography?

Question 40mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester uses the following command to extract the contents of a SAM file: 'samdump2 SYSTEM /mnt/windows/Windows/System32/config/SAM'. What is the primary purpose of this action?

Question 41hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you discover a Windows service running with SYSTEM privileges that has a weak file permission allowing the 'Everyone' group to modify its executable. Which privilege escalation technique is MOST directly applicable here?

Question 42hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker uses 'rpcclient -U '' -N 192.168.1.10' followed by 'enumdomusers' and 'enumdomgroups'. What type of enumeration is being performed, and which protocol does it rely on?

Question 43mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO tools are commonly used for enumerating NFS exports on a target system? (Select 2 correct answers)

Question 44hardmulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are valid techniques for covering tracks after compromising a system? (Select 3 correct answers)

Question 45hardmulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are examples of hybrid password attacks? (Select 2 correct answers)

Question 46mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you run the command `enum4linux -a 192.168.1.10` and receive output containing user account names, group memberships, and share listings. Which protocol is primarily being enumerated?

Question 47easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst suspects an attacker has used a rainbow table to crack password hashes from a compromised system. Which password cracking technique involves precomputed hash chains?

Question 48hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a security assessment, you find a Linux binary with the SUID bit set and owned by root. You execute it and obtain a root shell. This is an example of which privilege escalation technique?

Question 49mediummultiple choice
Read the full VRF explanation →

A penetration tester is attempting to enumerate user accounts on a mail server. They connect to port 25 and issue the commands `VRFY root` and `EXPN support`. Which protocol is being targeted?

Question 50mediummultiple choice
Read the full Enumeration and System Hacking explanation →

After gaining access to a system, an attacker modifies log files to remove evidence of their activities. This action is part of which phase of the system hacking methodology?

Question 51easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which tool is specifically designed to crack Windows LM and NTLM password hashes using rainbow tables?

Question 52hardmultiple choice
Read the full network assurance explanation →

A security analyst runs `snmpwalk -v2c -c public 192.168.1.1` and receives extensive output about the device's configuration. Which of the following is the MOST effective countermeasure against this enumeration?

Question 53mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you need to enumerate all users and groups from a Windows domain controller. Which tool is BEST suited for this task?

Question 54mediummultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker uses a tool that sends crafted RCPT TO commands to an SMTP server to verify email addresses. Which SMTP enumeration technique is being used?

Question 55easymultiple choice
Read the full NAT/PAT explanation →

Which password cracking technique involves trying every possible combination of characters until the correct password is found?

Question 56hardmultiple choice
Read the full network assurance explanation →

A security analyst examines a compromised Linux server and finds a hidden directory `/usr/share/.syslog` containing a modified version of `sshd` and a log cleaner script. This is indicative of which technique used to erase tracks?

Question 57mediummultiple choice
Review the full subnetting walkthrough →

Which of the following commands would a tester use to enumerate NetBIOS names and their associated IP addresses on a local subnet?

Question 58mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are valid methods for enumerating SMB shares on a target system? (Select 2)

Question 59mediummulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are common techniques used in the 'Cracking passwords' phase of system hacking? (Select 3)

Question 60mediummulti select
Read the full network assurance explanation →

Which TWO of the following are effective countermeasures against SNMP enumeration attacks? (Select 2)

Question 61easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst uses the nbtstat -a command against a target IP address. What information is the analyst MOST likely attempting to retrieve?

Question 62mediummultiple choice
Read the full network assurance explanation →

During a penetration test, an analyst runs the command 'snmpwalk -v2c -c public 192.168.1.10' and receives a large amount of output. Which protocol and community string are being used?

Question 63mediummultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker uses a tool that precomputes hash chains for common passwords to crack password hashes quickly. Which technique is the attacker employing?

Question 64hardmultiple choice
Read the full NAT/PAT explanation →

After gaining initial access to a Windows server, a penetration tester wants to escalate privileges. The tester finds that the current user has the 'SeImpersonatePrivilege' enabled. Which attack technique could the tester use to abuse this privilege?

Question 65easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following tools is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

Question 66mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a security assessment, an analyst runs 'enum4linux -a 10.0.0.5' and obtains a list of users, shares, and OS information. What protocol is enum4linux primarily using to gather this information?

Question 67mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester discovers a Linux server with the SUID bit set on the 'find' command. How could this be exploited for privilege escalation?

Question 68hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker uses SMTP commands to verify the existence of email accounts on a mail server. Which sequence of SMTP commands is used for this purpose?

Question 69mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst suspects an attacker has replaced system binaries with a rootkit to hide malicious processes. Which covering tracks technique is the attacker using?

Question 70easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following is the correct order of phases in the system hacking methodology known as CHPSET?

Question 71mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During an internal penetration test, you run 'smbclient -L //192.168.1.100 -N' and get an empty response. Which of the following is the MOST likely reason?

Question 72hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester captures the following output from a command: 'smb: \> ls \\192.168.1.20\C$'. The tester is able to list the contents of the C$ share without providing credentials. Which of the following is the MOST likely reason for this access?

Question 73mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are valid enumeration techniques? (Select 2)

Question 74easymulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are password cracking techniques? (Select 3)

Question 75mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are examples of privilege escalation on Linux? (Select 2)

Question 76mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs the command: nbtstat -A 192.168.1.10. The output shows the table of names for the remote machine. Which of the following is the MOST likely purpose of this command?

Question 77easymultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you receive a list of password hashes from a Windows server. Which of the following tools would be BEST suited to perform a dictionary attack against these hashes?

Question 78mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester obtains a list of password hashes and uses RainbowCrack. Which statement BEST describes how RainbowCrack works?

Question 79hardmultiple choice
Read the full NAT/PAT explanation →

After gaining initial access, an attacker attempts to escalate privileges by exploiting a misconfigured service running as SYSTEM. They find that the service's binary path is writable by the Everyone group. Which privilege escalation technique is the attacker MOST likely using?

Question 80mediummultiple choice
Read the full network assurance explanation →

A security engineer runs SNMPwalk on a network device and receives community strings as 'public' and 'private'. What is the PRIMARY concern?

Question 81easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following is the PRIMARY purpose of steganography in the context of covering tracks after a system compromise?

Question 82mediummultiple choice
Read the full VRF explanation →

A penetration tester uses the SMTP commands VRFY and EXPN on a mail server. What is the tester MOST likely trying to accomplish?

Question 83hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, an analyst uses enum4linux with the -a flag against a target. Which of the following is the MOST comprehensive set of information that can be obtained?

Question 84mediummultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker has gained access to a system and wants to erase evidence of their activities. Which of the following actions is MOST effective for covering tracks on a Windows system?

Question 85hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester finds that a Linux binary has the SUID bit set and is owned by root. Which of the following does this indicate?

Question 86easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which tool is specifically designed to crack Windows LM and NTLM hashes using precomputed tables?

Question 87mediummultiple choice
Read the full VRF explanation →

A security analyst observes repeated attempts to validate user accounts via SMTP using VRFY commands from an external IP. What is the BEST immediate action to mitigate this reconnaissance?

Question 88mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO techniques are commonly used for privilege escalation on Linux systems? (Select two.)

Question 89hardmulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are components of the CHPSET system hacking methodology? (Select three.)

Question 90mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO tools are commonly used for password cracking against hashed passwords? (Select two.)

Question 91easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs the command `nbtstat -A 192.168.1.105` on a Windows machine. What information is the analyst most likely trying to gather?

Question 92mediummultiple choice
Read the full VRF explanation →

During a penetration test, a tester uses the SMTP VRFY command against a mail server. The server responds with '252 Cannot VRFY user, but will accept message' for most usernames. Which action should the tester take to enumerate valid email addresses more effectively?

Question 93hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester is attempting to escalate privileges on a Linux target. The tester runs `find / -perm -4000 -type f 2>/dev/null` and discovers that `/usr/bin/pkexec` has the SUID bit set. The target runs Ubuntu 20.04 with default configurations. Which of the following is the MOST likely next step?

Question 94mediummultiple choice
Read the full Enumeration and System Hacking explanation →

An analyst observes repeated failed login attempts to a Windows server from an internal IP, followed by a successful login using the account 'admin' from the same IP. The analyst checks the Security log and finds Event ID 4624 with Logon Type 3. What type of attack is MOST likely occurring?

Question 95easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which tool is specifically designed to crack Windows LM and NTLM hashes using rainbow tables?

Question 96mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a system hacking phase, a tester successfully gains access to a Windows machine and wants to hide a malicious executable. Which of the following techniques is MOST effective for hiding files from standard directory listings without using third-party tools?

Question 97mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security team discovers that an attacker has been using steganography to exfiltrate data from the corporate network. The attacker hid data inside image files and uploaded them to a public image hosting site. Which of the following is the BEST method to detect this type of exfiltration?

Question 98hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester runs the following command against a Linux server: `smbclient -L //192.168.1.10 -N`. The output lists shares including 'IPC$', 'ADMIN$', and 'data'. Which of the following is the BEST next step to enumerate the 'data' share?

Question 99easymultiple choice
Read the full network assurance explanation →

Which of the following commands is used to enumerate SNMP information from a network device using a specific community string?

Question 100mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester has obtained a copy of the SAM database from a Windows system. The hashes extracted include both LM and NTLM hashes. Which of the following tools would be MOST efficient to crack the NTLM hashes using a dictionary attack with GPU acceleration?

Question 101hardmultiple choice
Read the full Enumeration and System Hacking explanation →

After gaining initial access to a Linux server, a penetration tester wants to maintain persistence by creating a backdoor. The tester decides to replace a common system binary with a trojanized version. Which of the following techniques is MOST likely to evade detection by file integrity monitoring (FIM) systems?

Question 102mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst reviews the following command output from a Linux system: `uid=0(root) gid=0(root) groups=0(root)`. The analyst suspects a privilege escalation attack. Which of the following techniques could have been used to achieve root access from a standard user account?

Question 103mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are valid methods for enumerating users on a SMTP server? (Select 2)

Question 104hardmulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are indicators that a system has been compromised by a rootkit? (Select 3)

Question 105mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are common techniques for covering tracks after compromising a system? (Select 2)

Question 106easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs the command `nbtstat -A 192.168.1.50` in a Windows environment. What information is the analyst attempting to retrieve?

Question 107mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you successfully gain access to a web server with a low-privileged shell. You want to escalate privileges to root. Which of the following techniques is MOST likely to achieve privilege escalation on a misconfigured Linux system?

Question 108hardmultiple choice
Read the full NAT/PAT explanation →

A security team has collected a hash file from a compromised Windows server that contains NTLM hashes. They want to crack the passwords as quickly as possible using a precomputed lookup table. Which tool and technique combination is BEST suited for this task?

Question 109mediummultiple choice
Read the full VRF explanation →

A penetration tester is enumerating an SMTP server on port 25. They issue the command `VRFY root` and receive a 250 response, then `VRFY admin` also returns 250. What does this indicate about the SMTP server?

Question 110mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester wants to enumerate users and groups from a Windows domain controller via LDAP without logging in. Which of the following tools is MOST appropriate for anonymous LDAP enumeration?

Question 111hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker has gained access to a Linux server and wants to cover their tracks. They edit the `.bash_history` file, modify system logs in `/var/log`, and install a kernel module that hides their processes. Which two steps of the system hacking methodology (CHPSET) are being performed?

Question 112easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following tools is specifically designed to enumerate SMB shares and user information from Windows systems using the SMB protocol?

Question 113mediummultiple choice
Read the full network assurance explanation →

A penetration tester is performing SNMP enumeration against a network device and wants to retrieve the entire Management Information Base (MIB) tree. Which command should they use?

Question 114mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a password cracking session, a pentester uses a wordlist combined with rules to generate variations of each word. This approach is called a hybrid attack. Which tool, when used with a rule file, can perform such an attack?

Question 115hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A forensic analyst discovers that an attacker used a rootkit to hide malicious processes and files on a compromised Linux system. The rootkit also intercepts system calls to `open()` and `stat()` to return clean results. Which of the following techniques is the rootkit using to cover its tracks?

Question 116easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following is a primary purpose of the enumeration phase in a penetration test?

Question 117mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst is investigating a potential SMB-based attack. They notice unusual traffic on port 445 from a host running `enum4linux`. Which of the following enumeration actions could `enum4linux` perform that would generate such traffic?

Question 118mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are valid enumeration techniques used to identify user accounts on a system? (Select 2)

Question 119hardmulti select
Read the full Enumeration and System Hacking explanation →

A penetration tester is tasked with performing privilege escalation on a Windows system. Which THREE of the following methods are commonly used for Windows privilege escalation? (Select 3)

Question 120mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following tools are capable of cracking password hashes offline? (Select 2)

Question 121mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs `nbtstat -A 192.168.1.50` from a Windows command prompt and receives output showing a table with names like 'WORKGROUP<00>', 'PC01<20>', and 'USER<03>'. What is the MOST likely purpose of this command?

Question 122easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which tool is specifically designed to enumerate SMB shares and user accounts on a Windows target by leveraging the SMB protocol?

Question 123mediummultiple choice
Read the full VRF explanation →

During an SMTP enumeration, a penetration tester connects to the mail server on port 25 and issues the commands 'VRFY root', 'EXPN admin', and 'RCPT TO:unknown@domain.com'. The server responds with '252' for VRFY, '250' for EXPN, and '550' for RCPT TO. What does this indicate?

Question 124hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker gains access to a Linux web server as the 'www-data' user. They run `find / -perm -4000 -type f 2>/dev/null` and see that `/usr/bin/passwd` has the SUID bit set. Which privilege escalation technique is this command checking for?

Question 125easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following tools is used to crack Windows LAN Manager (LM) and NTLM password hashes using rainbow tables?

Question 126mediummultiple choice
Read the full Enumeration and System Hacking explanation →

After compromising a system, an attacker wants to erase their tracks. They clear the Windows Event Logs using `wevtutil cl` commands. However, the logs are forwarded to a remote SIEM. Which covering tracks technique would be MOST effective to avoid detection?

Question 127hardmultiple choice
Read the full network assurance explanation →

A penetration tester discovers a service running on UDP port 161 with a default community string 'public'. They use `snmpwalk -v2c -c public 192.168.1.10` and retrieve extensive system information. Which enumeration technique is being performed?

Question 128mediummultiple choice
Read the full NAT/PAT explanation →

In the context of system hacking methodology (CHPSET), which phase involves hiding malicious files from the operating system and security tools using techniques such as NTFS alternate data streams (ADS) or steganography?

Question 129easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which password cracking method uses a precomputed table of hash chains to reverse password hashes quickly?

Question 130mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst notices that an attacker has gained SYSTEM privileges on a Windows server after compromising a service running as LOCAL SYSTEM. The attacker then uses `whoami /priv` and finds the SeTcbPrivilege (Act as part of the operating system) is enabled. Which privilege escalation technique might the attacker use next?

Question 131hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, the tester runs `ldapsearch -x -H ldap://192.168.1.20 -b 'dc=domain,dc=com' '(objectclass=*)'`. The output reveals user objects with 'userPassword' attributes in clear text. Which type of enumeration is being performed, and what is the security implication?

Question 132mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester gains access to a Linux server and attempts to escalate privileges. They run `sudo -l` and see that the user can run `/usr/bin/vim` as root without a password. Which privilege escalation technique should the tester use?

Question 133mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are enumeration techniques used to gather information from Windows systems? (Select 2)

Question 134hardmulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are methods for covering tracks after compromising a system? (Select 3)

Question 135easymulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are password cracking techniques? (Select 2)

Question 136easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs `nbtstat -A 192.168.1.10` and receives a response with the computer name, logged-in user, and domain. Which protocol is being queried?

Question 137mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester wants to enumerate user accounts on a Linux system running SMTP service. Which commands are commonly used for this purpose?

Question 138hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, the tester runs `enum4linux -U 192.168.1.20` and obtains a list of usernames. What service is being enumerated, and what is the primary risk associated with this information disclosure?

Question 139mediummultiple choice
Read the full network assurance explanation →

An analyst observes the following SNMP walk output on a network device: `SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.5.1 = STRING: "cisco"`. Which finding is most significant?

Question 140easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which tool is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

Question 141mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, a tester gains a low-privilege shell on a Linux server. The command `sudo -l` reveals that the user can run `/usr/bin/find` as root. Which technique can the tester use to escalate privileges?

Question 142mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security engineer notices repeated log entries showing a user account logging in at odd hours and then clearing event logs. The engineer suspects credential theft. Which phase of the CHPSET methodology involves erasing tracks?

Question 143hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester uses `smbclient -L //192.168.1.30 -N` and receives a list of shares including a hidden administrative share (C$) and a user share named "Backup". What is the most immediate security concern?

Question 144easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which type of password cracking attack uses a precomputed table of hash chains to reverse hashes quickly?

Question 145mediummultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker modifies system logs to remove entries related to their activities. Which technique is being used to cover tracks?

Question 146hardmultiple choice
Read the full Enumeration and System Hacking explanation →

A forensic analyst finds a system where the user's password hash was obtained and cracked offline. The attacker then used stolen credentials to log in and run `wevtutil cl system`. What is the purpose of this command?

Question 147mediummultiple choice
Read the full NAT/PAT explanation →

In the context of privilege escalation on Windows, what is token impersonation, and which tool is commonly used to exploit it?

Question 148mediummulti select
Read the full Enumeration and System Hacking explanation →

A penetration tester is enumerating services on a target Windows server. Which TWO tools are specifically designed for SMB enumeration? (Select two.)

Question 149hardmulti select
Read the full Enumeration and System Hacking explanation →

During a penetration test, the tester successfully cracks a password hash using a hybrid attack. Which THREE characteristics describe a hybrid attack? (Select three.)

Question 150easymulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are common methods used to hide files on a compromised system? (Select two.)

Question 151mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester runs `nbtstat -A 192.168.1.10` on a Windows machine. The output reveals the NetBIOS name table and shows a <20> entry. What does this indicate?

Question 152mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During an internal penetration test, an analyst uses `enum4linux -a 10.0.0.5` and retrieves a list of local users, including an account named 'sqlsvc'. The analyst then attempts to crack the password using a dictionary attack. Which password cracking tool would be most efficient for this task?

Question 153easymultiple choice
Read the full VRF explanation →

Which enumeration technique would be MOST effective for gathering usernames from an SMTP server that supports the VRFY command?

Question 154hardmultiple choice
Read the full Enumeration and System Hacking explanation →

After gaining initial access to a Linux server, an attacker runs `find / -perm -4000 -o -perm -2000 2>/dev/null`. What is the primary objective of this command?

Question 155mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst observes repeated log entries showing `EXPN` commands from an external IP address to the company's mail server. What is the MOST likely objective of this activity?

Question 156easymultiple choice
Read the full network assurance explanation →

Which tool is specifically designed to perform SNMP enumeration by walking the MIB tree using a known community string?

Question 157mediummultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, an analyst obtains a dump of password hashes from a Windows server. The hashes are in LM:NT format. The analyst wants to crack the NT portion using a brute-force attack on 8-character alphanumeric passwords. Which tool is BEST suited for this task?

Question 158hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker has compromised a Linux machine and wants to hide a rootkit by replacing system binaries with trojaned versions. Which technique is being used to maintain persistent access while evading detection?

Question 159mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs `ldapsearch -x -h 10.0.0.3 -b "dc=company,dc=com"` and receives a large number of entries including user objects. What type of information is being collected?

Question 160easymultiple choice
Read the full Enumeration and System Hacking explanation →

In the context of system hacking methodology (CHPSET), which phase involves removing evidence of the attacker's activities from logs and system files?

Question 161hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An attacker successfully escalates privileges on a Windows server using a known vulnerability in the Print Spooler service (PrintNightmare). Which type of privilege escalation does this represent?

Question 162mediummultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following commands would a penetration tester use to enumerate SMB shares on a target Windows machine from a Linux system?

Question 163mediummulti select
Read the full network assurance explanation →

During a penetration test, an analyst detects that an SNMP agent on a network device is using the default community string 'public'. Which TWO actions can the analyst perform using this information? (Choose TWO.)

Question 164hardmulti select
Read the full Enumeration and System Hacking explanation →

A security team is investigating a compromised Linux server. They suspect the attacker used privilege escalation via SUID binaries. Which THREE techniques should the team check as potential attack vectors? (Choose THREE.)

Question 165easymulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are common techniques used to cover tracks after compromising a system? (Choose TWO.)

Question 166mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs 'nbtstat -A 192.168.1.105' and sees a table with the computer name 'FILESERVER' and a logged-in user 'admin'. Which of the following BEST describes the purpose of this command?

Question 167hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you gain initial access to a Linux server as a low-privileged user. The target runs a vulnerable SUID binary owned by root. Which of the following is the MOST effective method to escalate privileges?

Question 168easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst wants to enumerate all users from an SMTP server. Which of the following SMTP commands can be used for user enumeration?

Question 169mediummultiple choice
Read the full network assurance explanation →

During a network assessment, you use SNMPwalk against a target. Which of the following is a prerequisite for successful SNMP enumeration?

Question 170hardmultiple choice
Read the full Enumeration and System Hacking explanation →

An analyst detects an SMB enumeration attempt in network logs. Which of the following tools would MOST likely generate such traffic?

Question 171mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester wants to crack Windows NTLM hashes using rainbow tables. Which tool is specifically designed for this purpose?

Question 172easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following is a passive OS fingerprinting technique?

Question 173hardmultiple choice
Read the full Enumeration and System Hacking explanation →

After compromising a Windows system, an attacker wants to cover tracks by deleting event logs. Which command would achieve this?

Question 174easymultiple choice
Read the full Enumeration and System Hacking explanation →

Which of the following is a method of hiding files on a system using steganography?

Question 175mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst runs the following command: 'smbclient -L //192.168.1.50 -N'. What is the purpose of this command?

Question 176mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are techniques used to escalate privileges on a Linux system?

Question 177hardmulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are components of the CHPSET system hacking methodology?

Question 178mediummulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following tools are used for password cracking?

Question 179easymulti select
Read the full Enumeration and System Hacking explanation →

Which TWO of the following are enumeration techniques?

Question 180hardmulti select
Read the full Enumeration and System Hacking explanation →

Which THREE of the following are methods attackers use to cover their tracks after compromising a system?

Question 181mediummultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

Question 182easymultiple choice
Read the full Enumeration and System Hacking explanation →

A security analyst wants to enumerate users and groups from a Windows domain controller using LDAP. Which of the following queries would return all objects of class 'user' from the domain 'example.com'?

Question 183hardmultiple choice
Read the full Enumeration and System Hacking explanation →

During a penetration test, you enumerate a Linux NFS server and discover that the /export directory is mounted with 'no_root_squash' and 'world_readable' permissions. Which of the following actions would allow you to escalate to root access on the NFS client?

Question 184mediummultiple choice
Read the full VRF explanation →

A security analyst captures the following SMTP conversation: 220 mail.example.com ESMTP; HELO client; 250 Hello; VRFY root; 250 Super-User; VRFY admin; 252 Cannot VRFY user; VRFY user1; 550 User unknown. Which attack is the analyst performing?

Question 185easymultiple choice
Read the full Enumeration and System Hacking explanation →

A penetration tester obtains a hash dump from a compromised Windows system and wants to crack LM and NTLM hashes quickly using precomputed tables. Which tool would be most efficient for this task?

Question 186mediummulti select
Read the full Enumeration and System Hacking explanation →

A security analyst is investigating a compromised Linux system and finds the following: - A binary with SUID bit set owned by root that is not a standard system binary - The file /etc/ld.so.preload contains a reference to a shared object in /tmp - The system logs show gaps of several minutes during peak hours. Which TWO techniques has the attacker MOST likely used to maintain access and evade detection?

Question 187mediummulti select
Read the full Enumeration and System Hacking explanation →

During a penetration test, a tester runs enum4linux against a Windows server and receives the following output: 'S-1-5-21-3623811015-3361044348-30300820-500' and 'S-1-5-21-3623811015-3361044348-30300820-501'. Which TWO conclusions can be drawn from this output?

Question 188hardmulti select
Read the full network assurance explanation →

A security auditor runs SNMPwalk against a network device using the default community string 'public' and obtains extensive system information. Which THREE of the following are effective countermeasures to prevent unauthorized SNMP enumeration?

Question 189easymulti select
Read the full Enumeration and System Hacking explanation →

A penetration tester successfully gains access to a Linux server as a low-privilege user. The goal is to escalate to root. Which THREE methods could the tester use to achieve privilege escalation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CEH Practice Test 1 — 10 Questions→CEH Practice Test 2 — 10 Questions→CEH Practice Test 3 — 10 Questions→CEH Practice Test 4 — 10 Questions→CEH Practice Test 5 — 10 Questions→CEH Practice Exam 1 — 20 Questions→CEH Practice Exam 2 — 20 Questions→CEH Practice Exam 3 — 20 Questions→CEH Practice Exam 4 — 20 Questions→Free CEH Practice Test 1 — 30 Questions→Free CEH Practice Test 2 — 30 Questions→Free CEH Practice Test 3 — 30 Questions→CEH Practice Questions 1 — 50 Questions→CEH Practice Questions 2 — 50 Questions→CEH Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Enumeration and System Hacking setsAll Enumeration and System Hacking questionsCEH Practice Hub