Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Scanning Networks and Enumeration practice sets

CEH Scanning Networks and Enumeration • Complete Question Bank

CEH Scanning Networks and Enumeration — All Questions With Answers

Complete CEH Scanning Networks and Enumeration question bank — all 0 questions with answers and detailed explanations.

19
Questions
Free
No signup
Certifications/CEH/Practice Test/Scanning Networks and Enumeration/All Questions
Question 1mediummultiple choice
Read the full Scanning Networks and Enumeration explanation →

During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?

Question 2easymultiple choice
Read the full Scanning Networks and Enumeration explanation →

A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?

Question 3hardmultiple choice
Read the full Scanning Networks and Enumeration explanation →

During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?

Question 4mediummultiple choice
Read the full Scanning Networks and Enumeration explanation →

A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?

Question 6hardmulti select
Read the full network assurance explanation →

Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)

Question 7mediummulti select
Read the full Scanning Networks and Enumeration explanation →

Which THREE Nmap options are commonly used to evade firewall detection during a scan? (Choose three.)

Question 8mediummultiple choice
Read the full Scanning Networks and Enumeration explanation →

Refer to the exhibit. An Nmap scan shows that port 80 is 'filtered' while ports 22 and 443 are 'open'. What does the 'filtered' state indicate?

Exhibit

Refer to the exhibit.
```
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-25 14:22 EDT
Nmap scan report for 10.10.1.45
Host is up (0.045s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   filtered http
443/tcp  open     https
```
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

You are a penetration tester assessing a client's internal network. The client has provided you with a non-administrative domain user account. The target network consists of 200 Windows workstations and 5 Windows servers (one domain controller, one file server, two application servers, and one database server). All systems are fully patched and have host-based firewalls enabled. The client wants you to identify vulnerabilities that could be exploited from the internal network. After initial reconnaissance, you discover that all servers have SMB (port 445) open only to the domain controller and the file server has SMB open to all workstations. You have gained a foothold on a workstation via a phishing attack. From this workstation, you can reach the file server on port 445. What is the most effective next step to enumerate potential vulnerabilities on the file server?

Question 10mediummultiple choice
Read the full Scanning Networks and Enumeration explanation →

A penetration tester discovers that an Nmap SYN scan against a target host returns no open ports, but a TCP connect scan reveals port 443 open. Which of the following is the most likely reason for this discrepancy?

Question 11hardmulti select
Read the full Scanning Networks and Enumeration explanation →

Which THREE of the following are valid methods for enumerating users on a Windows domain without prior credentials? (Select exactly 3.)

Question 12easymultiple choice
Read the full Scanning Networks and Enumeration explanation →

Refer to the exhibit. A penetration tester runs the above Nmap scan. Which of the following statements is most accurate regarding the state of port 3389?

Exhibit

Refer to the exhibit.

```
$ sudo nmap -sS -sV -O -p 1-1000 192.168.1.10
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 192.168.1.10
Host is up (0.0012s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http            Apache httpd 2.4.52
443/tcp  open     ssl/http        Apache httpd 2.4.52
3389/tcp filtered ms-wbt-server
8080/tcp open     http-proxy      Apache httpd 2.4.52
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 1 hop
```
Question 13hardmultiple choice
Review the full subnetting walkthrough →

You are conducting a security assessment for a company that hosts a web application on AWS. The application consists of a public-facing load balancer, an EC2 instance running a Linux web server, and an RDS MySQL database in a private subnet. The web server is configured to allow SSH access only from the company's internal IP range (203.0.113.0/24). During initial reconnaissance, you discover that the load balancer's security group allows inbound HTTP/HTTPS from anywhere. You attempt an Nmap SYN scan against the EC2 instance's public IP but receive no response (host appears down). Using a TCP connect scan, you find that ports 80 and 443 are open on the EC2 instance's public IP, but port 22 is filtered. You then launch an EC2 instance in the same region and run a scan from that internal AWS IP, and you find that port 22 is open on the target EC2 instance's private IP. Which of the following is the most likely reason for the initial scan failure and the filtered SSH port?

Question 14easymulti select
Read the full Scanning Networks and Enumeration explanation →

Which TWO of the following Nmap scan types are typically used to evade firewalls and IDS systems by sending fragmented packets?

Question 15hardmultiple choice
Read the full Scanning Networks and Enumeration explanation →

You are a penetration tester for a financial institution. During the reconnaissance phase, you discover that the target network uses a firewall that only allows inbound TCP connections on ports 80, 443, and 8080. You need to identify live hosts and running services on the internal network (192.168.1.0/24) from an external perspective. To avoid detection, you must minimize the number of packets sent and ensure that your scanning technique does not complete the TCP three-way handshake. Additionally, you have limited time and need to scan all 65535 ports on the most promising target. Based on the firewall rules and the need for stealth, which of the following approaches should you take?

Question 16mediumdrag order
Read the full Scanning Networks and Enumeration explanation →

Drag and drop the steps to conduct a penetration test using the CEH methodology into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediumdrag order
Read the full Scanning Networks and Enumeration explanation →

Drag and drop the steps to perform a buffer overflow exploit in a controlled lab environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediummatching
Read the full Scanning Networks and Enumeration explanation →

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and enumeration

Packet capture and analysis

Exploitation framework

Password cracking

Web application security testing

Question 19mediummatching
Read the full Scanning Networks and Enumeration explanation →

Match each cloud security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure as a Service - virtualized computing resources

Platform as a Service - development and deployment platform

Software as a Service - ready-to-use applications

Security duties split between provider and customer

Cloud Access Security Broker - policy enforcement between users and cloud

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CEH Practice Test 1 — 10 Questions→CEH Practice Test 2 — 10 Questions→CEH Practice Test 3 — 10 Questions→CEH Practice Test 4 — 10 Questions→CEH Practice Test 5 — 10 Questions→CEH Practice Exam 1 — 20 Questions→CEH Practice Exam 2 — 20 Questions→CEH Practice Exam 3 — 20 Questions→CEH Practice Exam 4 — 20 Questions→Free CEH Practice Test 1 — 30 Questions→Free CEH Practice Test 2 — 30 Questions→Free CEH Practice Test 3 — 30 Questions→CEH Practice Questions 1 — 50 Questions→CEH Practice Questions 2 — 50 Questions→CEH Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Scanning Networks and Enumeration setsAll Scanning Networks and Enumeration questionsCEH Practice Hub