19+ practice questions focused on Scanning Networks and Enumeration — one of the most tested topics on the Certified Ethical Hacker CEH exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Scanning Networks and Enumeration PracticeDuring a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?
Explanation: A stateful firewall tracks the state of network connections. When you browse to the server, your browser initiates an outbound TCP connection, and the firewall allows the return SYN-ACK packets as part of the established session. However, a standalone TCP SYN scan sends unsolicited SYN packets to port 80, which the firewall sees as a new inbound connection attempt and blocks, preventing the server from responding. The server's ICMP echo reply is allowed because ICMP is stateless and not typically filtered by the same rules.
A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?
Explanation: Option C is correct because `nmap -sn` (ping sweep) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default, allowing the analyst to discover live hosts without scanning every port or sending packets to every IP individually. This minimizes network traffic compared to full port scans while still efficiently identifying active devices on the 192.168.1.0/24 subnet.
During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?
Explanation: Banner grabbing on port 22 (SSH) is the most valuable next step because it directly identifies the SSH server version (e.g., OpenSSH 7.4). Knowing the exact version allows you to cross-reference known vulnerabilities (CVEs) for that specific SSH implementation, which is a common high-risk attack vector during internal penetration tests. While version detection already identified the service, banner grabbing can reveal additional details like patch levels or configuration quirks that version detection might miss.
A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?
Explanation: Option B is correct because it targets only TCP port 22 (the default SSH port) with a SYN scan, which is stealthier and faster than a full connect scan, and enables version detection to identify the specific vulnerable OpenSSH version. This minimizes disruption by avoiding scanning unnecessary ports and reduces network load, while accurately pinpointing vulnerable hosts.
You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?
Explanation: Traceroute is the correct technique because it is specifically designed to map the path packets take from a source to a destination by manipulating the Time-to-Live (TTL) field in IP headers. As each hop decrements the TTL, routers along the path send ICMP Time Exceeded messages (or UDP responses in some implementations), revealing their IP addresses and thus identifying intermediate devices like routers and firewalls.
+14 more Scanning Networks and Enumeration questions available
Practice all Scanning Networks and Enumeration questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Scanning Networks and Enumeration. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Scanning Networks and Enumeration questions on the CEH frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Scanning Networks and Enumeration is tested as part of the Certified Ethical Hacker CEH blueprint. Practicing with targeted Scanning Networks and Enumeration questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CEH practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Scanning Networks and Enumeration is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Scanning Networks and Enumeration practice session with instant scoring and detailed explanations.
Start Scanning Networks and Enumeration Practice →