Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Vulnerability Analysis and System Hacking practice sets

CEH Vulnerability Analysis and System Hacking • Complete Question Bank

CEH Vulnerability Analysis and System Hacking — All Questions With Answers

Complete CEH Vulnerability Analysis and System Hacking question bank — all 0 questions with answers and detailed explanations.

19
Questions
Free
No signup
Certifications/CEH/Practice Test/Vulnerability Analysis and System Hacking/All Questions
Question 1easymultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?

Question 2mediummultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

An ethical hacker is assessing a Linux web server running Apache. The server is suspected to have a remote file inclusion (RFI) vulnerability. Which testing approach is most appropriate to confirm the vulnerability without causing damage?

Question 3hardmultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

During a penetration test, a tester gains access to a Linux system and needs to escalate privileges. The tester finds that the user has sudo privileges to run /usr/bin/less as root without a password. Which technique should the tester use to escalate privileges?

Question 4easymultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

A security analyst runs a vulnerability scan and finds that a server is vulnerable to CVE-2021-44228 (Log4j). Which of the following is the best immediate remediation step?

Question 5mediummultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

An ethical hacker is testing a web application that uses cookies for session management. The tester notices that the session cookie does not have the HttpOnly or Secure flags set. Which attack is most likely to succeed due to this misconfiguration?

Question 6hardmulti select
Read the full Vulnerability Analysis and System Hacking explanation →

Which TWO of the following are valid techniques for password cracking?

Question 7mediummulti select
Read the full Vulnerability Analysis and System Hacking explanation →

Which THREE of the following are common indicators of a buffer overflow vulnerability?

Question 8hardmultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

Based on the Nmap scan output, which service is most likely vulnerable to remote code execution?

Exhibit

Refer to the exhibit.

```
$ nmap -sV -p 22,80,443,8080 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-15 10:00 UTC
Nmap scan report for 192.168.1.10
Host is up (0.0010s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
443/tcp  open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
8080/tcp open  http    Apache Tomcat 8.5.5
MAC Address: 00:1A:2B:3C:4D:5E (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds
```
Question 9mediummultiple choice
Open the full VLAN trunking answer →

You are a penetration tester hired by a medium-sized financial company. The company has a network consisting of 50 Windows workstations (Windows 10 Pro) and 5 Windows Server 2019 servers (domain controller, file server, web server, database server, and mail server). The network is segmented into three VLANs: User VLAN (192.168.1.0/24), Server VLAN (192.168.2.0/24), and DMZ (192.168.3.0/24). The web server is in the DMZ and hosts a public-facing e-commerce application built on ASP.NET with a SQL Server backend. The database server is in the Server VLAN and is not directly accessible from the internet. You are given a standard user account on a workstation in the User VLAN. After initial reconnaissance, you discover that the web server is running an outdated version of IIS (7.5) and is vulnerable to a known privilege escalation vulnerability (CVE-2020-0613) that allows local privilege escalation if an attacker has already gained initial access. You also find that the web application has a SQL injection vulnerability in the login page. You successfully exploit the SQL injection to extract the password hash of the web application's service account, which is 'web_svc'. You crack the hash offline and obtain the plaintext password. The 'web_svc' account has local administrative privileges on the web server. Using these credentials, you authenticate to the web server via RDP. From there, you want to pivot to the database server to extract credit card information stored in the database. The database server only allows connections from the web server on port 1433 (SQL Server). Using the 'web_svc' account, you are able to connect to the database server using SQL Server Management Studio. However, you find that the 'web_svc' account has only 'public' and 'guest' database roles, which do not allow reading any sensitive tables. You need to escalate privileges on the database server. What is the most effective next step?

Question 10hardmultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

A penetration tester is analyzing a Windows 10 system and runs the following command to dump password hashes from the SAM database. The output shows hashes for local users but some are missing. Which step is most likely missing?

Question 11easymulti select
Read the full Vulnerability Analysis and System Hacking explanation →

Which TWO vulnerabilities are associated with buffer overflow attacks?

Question 12mediummultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

Based on the exhibit, which service should be targeted first to gain initial access with the highest chance of success?

Exhibit

Refer to the exhibit.

Target: 192.168.1.10
Port scanning results:
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open    https
3306/tcp open    mysql
8080/tcp open    http-proxy

Vulnerability scan summary:
- SSH: OpenSSH 7.2p2 (CVE-2016-6210 - High)
- HTTP: Apache 2.4.7 (CVE-2015-0228 - Medium)
- MySQL: MySQL 5.5.52 (CVE-2016-6662 - Critical)
- Proxy: Squid 3.5.23 (CVE-2019-12524 - High)
Question 13mediumdrag order
Read the full Vulnerability Analysis and System Hacking explanation →

Drag and drop the steps to configure a firewall rule in iptables to block incoming SSH traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full Vulnerability Analysis and System Hacking explanation →

Match each type of attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Social engineering via deceptive emails

Intercepting communication between two parties

Inserting malicious SQL queries into input fields

Overwhelming a system to make it unavailable

Associating attacker's MAC with victim's IP

Question 15hardmultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

Refer to the exhibit. An analyst runs netstat on a Windows server and observes multiple established connections to port 3389 from internal IPs. Which attack is most likely occurring?

Exhibit

netstat -ano | findstr :3389
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1234
  TCP    192.168.1.10:3389      10.0.0.5:49152        ESTABLISHED     1234
  TCP    192.168.1.10:3389      10.0.0.6:49153        ESTABLISHED     1234
netstat -ano | findstr :445
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       5678
  TCP    192.168.1.10:445       192.168.1.20:49154     ESTABLISHED     5678
Question 16mediummultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

Refer to the exhibit. A security auditor reviews the password hashes. Which user has the weakest password hash?

Exhibit

# /etc/shadow (partial)
root:$6$xyz$abcdef...:18000:0:99999:7:::
admin:$6$abc$12345...:18005:0:99999:7:::
user:$1$def$67890...:18000:0:99999:7:::
# /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
ENCRYPT_METHOD SHA512
Question 17hardmultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

Refer to the exhibit. An attacker wants to exploit a known vulnerability. Which service is most likely vulnerable to CVE-2019-0215?

Exhibit

nmap -sV -p 22,80,443,8080 192.168.1.100
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
443/tcp  open  ssl/http   Apache httpd 2.4.18 ((Ubuntu))
8080/tcp open  http-proxy Squid http proxy 3.5.12
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Question 18mediummultiple choice
Read the full Vulnerability Analysis and System Hacking explanation →

Refer to the exhibit. A penetration tester runs hashcat to crack NTLM hashes. Which hash mode (-m) would be correct for NTLM?

Exhibit

c:\) hashcat -m 1000 -a 0 hashes.txt wordlist.txt --show
$1$abc$12345:password
$5$xyz$67890:qwerty
$6$def$11111:letmein
$2y$10$abcdefg:hunter2
c:\) hashcat -m 1000 -a 0 hashes.txt wordlist.txt --potfile-disable
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst checks for missing patches. Which vulnerability is this system likely exposed to?

Exhibit

C:\Users\Admin> wmic qfe get HotFixID,InstalledOn
HotFixID   InstalledOn
KB4569558  9/17/2020
KB4570333  9/17/2020
KB4574727  9/8/2020
KB4577586  9/8/2020
C:\Users\Admin> ver
Microsoft Windows [Version 10.0.19041.508]
C:\Users\Admin> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    CurrentBuild    REG_SZ    19041

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CEH Practice Test 1 — 10 Questions→CEH Practice Test 2 — 10 Questions→CEH Practice Test 3 — 10 Questions→CEH Practice Test 4 — 10 Questions→CEH Practice Test 5 — 10 Questions→CEH Practice Exam 1 — 20 Questions→CEH Practice Exam 2 — 20 Questions→CEH Practice Exam 3 — 20 Questions→CEH Practice Exam 4 — 20 Questions→Free CEH Practice Test 1 — 30 Questions→Free CEH Practice Test 2 — 30 Questions→Free CEH Practice Test 3 — 30 Questions→CEH Practice Questions 1 — 50 Questions→CEH Practice Questions 2 — 50 Questions→CEH Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Vulnerability Analysis and System Hacking setsAll Vulnerability Analysis and System Hacking questionsCEH Practice Hub