Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCEHTopicsScanning Networks and Enumeration
Free · No Signup RequiredEC-Council · CEH

CEH Scanning Networks and Enumeration Practice Questions

19+ practice questions focused on Scanning Networks and Enumeration — one of the most tested topics on the Certified Ethical Hacker CEH exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Scanning Networks and Enumeration Practice

Exam Domains

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Scanning Networks and Enumeration Questions

Practice all 19+ →
1.

During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?

A.A stateful firewall is blocking inbound SYN packets to port 80 but allowing responses to outbound connections.
B.The web server is running on a non-standard port that you did not scan.
C.The server's TCP/IP stack is misconfigured and does not respond to SYN scans.
D.A web application firewall is blocking the SYN scan traffic.

Explanation: A stateful firewall tracks the state of network connections. When you browse to the server, your browser initiates an outbound TCP connection, and the firewall allows the return SYN-ACK packets as part of the established session. However, a standalone TCP SYN scan sends unsolicited SYN packets to port 80, which the firewall sees as a new inbound connection attempt and blocks, preventing the server from responding. The server's ICMP echo reply is allowed because ICMP is stateless and not typically filtered by the same rules.

2.

A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?

A.TCP SYN scan using `nmap -sS`
B.ARP scan using `nmap -PR`
C.Ping sweep using `nmap -sn`
D.UDP scan using `nmap -sU`

Explanation: Option C is correct because `nmap -sn` (ping sweep) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default, allowing the analyst to discover live hosts without scanning every port or sending packets to every IP individually. This minimizes network traffic compared to full port scans while still efficiently identifying active devices on the 192.168.1.0/24 subnet.

3.

During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?

A.Perform banner grabbing on port 22 to identify the SSH version.
B.Perform SNMP enumeration to gather system information.
C.Attempt a DNS zone transfer from the server.
D.Enumerate NetBIOS names using `nbtstat`.

Explanation: Banner grabbing on port 22 (SSH) is the most valuable next step because it directly identifies the SSH server version (e.g., OpenSSH 7.4). Knowing the exact version allows you to cross-reference known vulnerabilities (CVEs) for that specific SSH implementation, which is a common high-risk attack vector during internal penetration tests. While version detection already identified the service, banner grabbing can reveal additional details like patch levels or configuration quirks that version detection might miss.

4.

A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?

A.Conduct a full TCP port scan of the entire network using SYN scan.
B.Run a TCP SYN scan on port 22 only, with version detection enabled, across the target IP range.
C.Use a ping sweep to identify live hosts, then perform a version scan on each.
D.Perform an ARP scan of the entire subnet and then check each host manually.

Explanation: Option B is correct because it targets only TCP port 22 (the default SSH port) with a SYN scan, which is stealthier and faster than a full connect scan, and enables version detection to identify the specific vulnerable OpenSSH version. This minimizes disruption by avoiding scanning unnecessary ports and reduces network load, while accurately pinpointing vulnerable hosts.

5.

You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?

A.Traceroute
B.Banner grabbing
C.DNS enumeration
D.SNMP walk

Explanation: Traceroute is the correct technique because it is specifically designed to map the path packets take from a source to a destination by manipulating the Time-to-Live (TTL) field in IP headers. As each hop decrements the TTL, routers along the path send ICMP Time Exceeded messages (or UDP responses in some implementations), revealing their IP addresses and thus identifying intermediate devices like routers and firewalls.

+14 more Scanning Networks and Enumeration questions available

Practice all Scanning Networks and Enumeration questions

How to master Scanning Networks and Enumeration for CEH

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Scanning Networks and Enumeration. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Scanning Networks and Enumeration questions on the CEH frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CEH Scanning Networks and Enumeration questions are on the real exam?

The exact number varies per candidate. Scanning Networks and Enumeration is tested as part of the Certified Ethical Hacker CEH blueprint. Practicing with targeted Scanning Networks and Enumeration questions ensures you can handle any format or difficulty that appears.

Are these CEH Scanning Networks and Enumeration practice questions free?

Yes. Courseiva provides free CEH practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Scanning Networks and Enumeration one of the harder CEH topics?

Difficulty is subjective, but Scanning Networks and Enumeration is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Scanning Networks and Enumeration practice session with instant scoring and detailed explanations.

Start Scanning Networks and Enumeration Practice →

Topic Info

Topic

Scanning Networks and Enumeration

Exam

CEH

Questions available

19+