Sample questions
Certified Ethical Hacker CEH practice questions
A penetration tester is analyzing a captured TCP session that includes a successful SQL injection attack. Which TWO of the following indicators would most likely confirm that the attack was successful?
Trap 1: The server redirects to a login page (302)
A redirect to login usually occurs after a failed authentication, not a successful SQL injection.
Trap 2: The server returns a 500 Internal Server Error
500 error typically indicates a syntax or runtime error, which may mean the injection failed or caused an error.
Trap 3: The client receives no response (timeout)
No response often indicates the injection caused a crash or infinite loop, not success.
- A
The server redirects to a login page (302)
Why wrong: A redirect to login usually occurs after a failed authentication, not a successful SQL injection.
- B
The server returns a 500 Internal Server Error
Why wrong: 500 error typically indicates a syntax or runtime error, which may mean the injection failed or caused an error.
- C
The response contains database error messages or unexpected data
Database error messages or extra data in the response are strong indicators of successful injection.
- D
The server returns a 200 OK status code
200 OK often indicates the injected query executed successfully and returned data.
- E
The client receives no response (timeout)
Why wrong: No response often indicates the injection caused a crash or infinite loop, not success.
You are a security consultant for a mid-sized company that recently migrated its customer relationship management (CRM) system to a public cloud provider (AWS). The CRM is a web application behind an Application Load Balancer (ALB) with WAF enabled. The application stores sensitive customer data in an RDS MySQL database. The security team has configured security groups to allow only HTTPS (443) from the internet to the ALB, and from the ALB to the application servers on port 8080. The application servers can connect to the database on port 3306. During a routine vulnerability scan, you discover that the database is publicly accessible from the internet on port 3306, which contradicts the intended design. You verify that the security group for the database allows inbound traffic from 0.0.0.0/0 on port 3306. The database contains unencrypted personal identifiable information (PII). What is the most effective immediate action to remediate this vulnerability?
Trap 1: Enable RDS Enhanced Monitoring and log all connections to the…
Logging does not block the open port.
Trap 2: Enable deletion protection on the RDS instance to prevent…
Deletion protection does not affect network access.
Trap 3: Enable encryption at rest for the RDS instance using AWS KMS.
Encryption protects data if accessed, but the port remains open.
- A
Modify the database security group to remove the 0.0.0.0/0 inbound rule and add a rule allowing only the application servers' security group on port 3306.
This restricts access to only authorized sources, closing the exposure.
- B
Enable RDS Enhanced Monitoring and log all connections to the database for forensic analysis.
Why wrong: Logging does not block the open port.
- C
Enable deletion protection on the RDS instance to prevent accidental removal.
Why wrong: Deletion protection does not affect network access.
- D
Enable encryption at rest for the RDS instance using AWS KMS.
Why wrong: Encryption protects data if accessed, but the port remains open.
An organization is implementing a social engineering defense program. Which TWO measures are most effective in reducing the risk of phishing attacks? (Choose two.)
Trap 1: Implement strong password policies with multi-factor authentication.
Passwords do not prevent users from clicking malicious links.
Trap 2: Enforce regular software updates and patch management.
Patching addresses technical vulnerabilities, not social engineering.
Trap 3: Deploy network segmentation and access control lists.
Segmentation limits damage but does not prevent phishing.
- A
Implement strong password policies with multi-factor authentication.
Why wrong: Passwords do not prevent users from clicking malicious links.
- B
Enforce regular software updates and patch management.
Why wrong: Patching addresses technical vulnerabilities, not social engineering.
- C
Conduct regular security awareness training for all employees.
Training helps users identify and report phishing attempts.
- D
Deploy network segmentation and access control lists.
Why wrong: Segmentation limits damage but does not prevent phishing.
- E
Install advanced email filtering and anti-malware solutions.
Filters block many phishing emails before reaching users.
An ethical hacker is assessing a Linux web server running Apache. The server is suspected to have a remote file inclusion (RFI) vulnerability. Which testing approach is most appropriate to confirm the vulnerability without causing damage?
Trap 1: Use SQLMap to test for SQL injection
SQLMap tests for SQLi, not RFI.
Trap 2: Scan the server with Nikto to detect known RFI signatures
Nikto can detect potential RFI, but manual verification is needed.
Trap 3: Attempt to include a remote URL containing a web shell
This could compromise the server and is not a safe test.
- A
Craft a request with a local file inclusion parameter pointing to /etc/passwd
This safely confirms RFI by reading a local file, proving the vulnerability.
- B
Use SQLMap to test for SQL injection
Why wrong: SQLMap tests for SQLi, not RFI.
- C
Scan the server with Nikto to detect known RFI signatures
Why wrong: Nikto can detect potential RFI, but manual verification is needed.
- D
Attempt to include a remote URL containing a web shell
Why wrong: This could compromise the server and is not a safe test.
A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?
Trap 1: Nikto
Nikto is a web vulnerability scanner, not for SMB.
Trap 2: Hydra
Hydra is for password brute-forcing, not enumeration.
Trap 3: Nmap
Nmap scans ports but does not perform detailed SMB enumeration.
- A
Nikto
Why wrong: Nikto is a web vulnerability scanner, not for SMB.
- B
Hydra
Why wrong: Hydra is for password brute-forcing, not enumeration.
- C
Nmap
Why wrong: Nmap scans ports but does not perform detailed SMB enumeration.
- D
enum4linux
Correct: enum4linux extracts SMB information like users, shares, and OS details.
Which TWO of the following are effective physical security controls to prevent tailgating?
Trap 1: Biometric door lock
Biometric lock authenticates but does not prevent someone from following.
Trap 2: CCTV cameras
CCTV detects but does not prevent tailgating.
Trap 3: Security guard
Security guard is a personnel control, not a physical control device.
- A
Biometric door lock
Why wrong: Biometric lock authenticates but does not prevent someone from following.
- B
Mantrap
Mantrap requires one person to pass through and door to close before next opens, preventing tailgating.
- C
CCTV cameras
Why wrong: CCTV detects but does not prevent tailgating.
- D
Security guard
Why wrong: Security guard is a personnel control, not a physical control device.
- E
Turnstile with one-way access
Turnstile physically restricts entry to one person per credential.
Refer to the exhibit. An attacker gains access to the user's workstation and wants to find a file containing passwords. Which file is most likely to contain credentials?
Exhibit
Refer to the exhibit. Exhibit: C:\Users\jdoe> net user jdoe /domain The request will be processed at a domain controller for domain corp.xyz.com. User name jdoe Full Name John Doe Comment User's comment Country code 001 (United States) Account active Yes Account expires Never Password last set 6/15/2024 9:30:00 AM Password expires 9/13/2024 9:30:00 AM Password changeable 6/16/2024 9:30:00 AM Password required Yes User may change password Yes Workstations allowed All Logon script logon.bat User profile Home directory \\fileserver\home\jdoe Last logon 7/10/2024 2:15:00 PM Logon hours allowed All Local Group Memberships *Domain Users Global Group memberships *Domain Users The command completed successfully.
Trap 1: User profile (C:\Users\jdoe)
User profile is a folder, not a specific file.
Trap 2: Home directory on \\fileserver\home\jdoe
Home directory is a network share, not a specific file.
Trap 3: Active Directory database (NTDS.dit)
NTDS.dit is on the domain controller, not the workstation.
- A
User profile (C:\Users\jdoe)
Why wrong: User profile is a folder, not a specific file.
- B
Home directory on \\fileserver\home\jdoe
Why wrong: Home directory is a network share, not a specific file.
- C
logon.bat script
Logon scripts may contain credentials for network resources.
- D
Active Directory database (NTDS.dit)
Why wrong: NTDS.dit is on the domain controller, not the workstation.
Which TWO of the following are examples of passive footprinting techniques? (Select exactly 2.)
Trap 1: Performing a ping sweep on the target network
Active probing sends packets.
Trap 2: Conducting a port scan with Nmap
Active scanning.
Trap 3: Brute forcing subdomains via DNS queries
Active DNS requests.
- A
Performing a ping sweep on the target network
Why wrong: Active probing sends packets.
- B
Conducting a port scan with Nmap
Why wrong: Active scanning.
- C
Using Google dorking to find exposed documents
Uses search engine index, passive.
- D
Examining job postings for technology clues
Public info gathering, no direct interaction.
- E
Brute forcing subdomains via DNS queries
Why wrong: Active DNS requests.
Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)
Trap 1: Captured network packets
Packet capture is not an SNMP function.
Trap 2: User account passwords
Passwords are not stored in SNMP MIBs.
Trap 3: Modify network interface settings
Modification requires write access, typically with a different community string.
- A
List of running processes
SNMP can retrieve hrSWRunTable which lists running processes.
- B
Captured network packets
Why wrong: Packet capture is not an SNMP function.
- C
User account passwords
Why wrong: Passwords are not stored in SNMP MIBs.
- D
Modify network interface settings
Why wrong: Modification requires write access, typically with a different community string.
- E
Routing table entries
SNMP can read the ipRouteTable MIB object.
An ethical hacker runs the command shown in the exhibit. Which of the following conclusions can be drawn from the output?
Exhibit
Refer to the exhibit.
```
C:\Users\tester> nslookup -type=MX exampledomain.com
Server: dns.example.com
Address: 192.168.1.1
exampledomain.com
MX preference = 10, mail exchanger = mail1.exampledomain.com
MX preference = 20, mail exchanger = mail2.exampledomain.com
```Trap 1: The DNS server is configured to block zone transfers
Zone transfer not tested.
Trap 2: Mail is automatically forwarded to a backup server
MX records show preference, not forwarding.
Trap 3: The domain has an SPF record configured
SPF not queried.
- A
The domain has two mail exchange servers
Two MX records indicate two servers.
- B
The DNS server is configured to block zone transfers
Why wrong: Zone transfer not tested.
- C
Mail is automatically forwarded to a backup server
Why wrong: MX records show preference, not forwarding.
- D
The domain has an SPF record configured
Why wrong: SPF not queried.
Which TWO of the following are characteristics of a Bluetooth Low Energy (BLE) IoT device that make it suitable for a battery-powered sensor?
Trap 1: High data throughput.
BLE has low data rate.
Trap 2: Long range (up to 1 km).
BLE range is typically up to 100m.
Trap 3: Operates in unlicensed spectrum like Wi-Fi.
BLE uses 2.4 GHz but is not Wi-Fi.
- A
High data throughput.
Why wrong: BLE has low data rate.
- B
Long range (up to 1 km).
Why wrong: BLE range is typically up to 100m.
- C
Low energy consumption.
BLE is optimized for low power.
- D
Low data transfer rates.
Sensors send small data.
- E
Operates in unlicensed spectrum like Wi-Fi.
Why wrong: BLE uses 2.4 GHz but is not Wi-Fi.
Refer to the exhibit. During a wireless audit, you capture a beacon frame from a corporate access point. What is the most significant security concern based on this information?
Exhibit
Refer to the exhibit. ``` Wireless Capture: Beacon Frame SSID: CorpNet Security: WPA2-PSK BSSID: 00:11:22:33:44:55 Channel: 6 RSN Information: Pairwise Ciphers: CCMP Group Cipher: TKIP ```
Trap 1: The pairwise cipher is CCMP, which is outdated.
CCMP is secure and current.
Trap 2: The network uses WPA2-PSK, which is easily cracked.
PSK is not inherently vulnerable.
Trap 3: The beacon frame reveals the BSSID, which is a security risk.
BSSID is publicly broadcast.
- A
The pairwise cipher is CCMP, which is outdated.
Why wrong: CCMP is secure and current.
- B
The network uses WPA2-PSK, which is easily cracked.
Why wrong: PSK is not inherently vulnerable.
- C
The beacon frame reveals the BSSID, which is a security risk.
Why wrong: BSSID is publicly broadcast.
- D
The group cipher is TKIP, which is deprecated and vulnerable.
TKIP should not be used.
Drag and drop the steps to perform a buffer overflow exploit in a controlled lab environment into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to perform a SQL injection attack manually into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up a reverse shell using Netcat into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a wireless network with WPA2-Enterprise authentication on a Cisco AP into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up a VPN using IPsec in tunnel mode into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to perform a successful social engineering attack in a penetration test into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Which TWO vulnerabilities are associated with buffer overflow attacks?
Trap 1: Authentication bypass via SQL injection
SQL injection is a separate vulnerability.
Trap 2: Cross-site scripting (XSS)
XSS is a client-side injection, not buffer overflow.
Trap 3: Race condition
Race conditions involve timing issues, not buffer overflows.
- A
Arbitrary code execution
Successful buffer overflow attacks often lead to arbitrary code execution.
- B
Stack smashing
Stack-based buffer overflows can overwrite return addresses, causing stack smashing.
- C
Authentication bypass via SQL injection
Why wrong: SQL injection is a separate vulnerability.
- D
Cross-site scripting (XSS)
Why wrong: XSS is a client-side injection, not buffer overflow.
- E
Race condition
Why wrong: Race conditions involve timing issues, not buffer overflows.
Refer to the exhibit. An attacker runs the nslookup command shown. What information has been gathered?
Exhibit
Refer to the exhibit. C:\>nslookup -type=MX example.com Server: dns.example.com Address: 192.0.2.10 example.com MX preference = 10, mail exchanger = mail1.example.com example.com MX preference = 20, mail exchanger = mail2.example.com
Trap 1: Name server records
NS records require -type=NS query.
Trap 2: IP addresses of the web server
A records are needed for web server IPs.
Trap 3: SPF records for email authentication
SPF is retrieved via TXT records.
- A
Mail server addresses and priority
MX records show mail servers and their priority.
- B
Name server records
Why wrong: NS records require -type=NS query.
- C
IP addresses of the web server
Why wrong: A records are needed for web server IPs.
- D
SPF records for email authentication
Why wrong: SPF is retrieved via TXT records.
Which TWO of the following Nmap scan types are typically used to evade firewalls and IDS systems by sending fragmented packets?
Trap 1: SYN scan (-sS)
SYN scan is not specifically evasive; it is the default scan.
Trap 2: ACK scan (-sA)
ACK scan is used for firewall rule mapping, not evasion.
Trap 3: Xmas scan (-sX)
Xmas scan is detectable and not evasive.
- A
Fragment scan (-f)
Correct: Fragments packets to bypass firewalls.
- B
SYN scan (-sS)
Why wrong: SYN scan is not specifically evasive; it is the default scan.
- C
ACK scan (-sA)
Why wrong: ACK scan is used for firewall rule mapping, not evasion.
- D
Idle scan (-sI)
Correct: Uses a zombie host to spoof IP, evading detection.
- E
Xmas scan (-sX)
Why wrong: Xmas scan is detectable and not evasive.
During a penetration test, you discover that the target organization uses a cloud-based email service. Which technique would allow you to gather employee email addresses and potentially infer internal organizational structure?
Trap 1: Perform a WHOIS lookup on the domain
WHOIS provides registrar info, not individual emails.
Trap 2: Attempt a DNS zone transfer
Zone transfers typically fail or return only DNS records, not emails.
Trap 3: Run an nmap scan against the mail server
Nmap reveals open ports and services, not email addresses.
- A
Perform a WHOIS lookup on the domain
Why wrong: WHOIS provides registrar info, not individual emails.
- B
Attempt a DNS zone transfer
Why wrong: Zone transfers typically fail or return only DNS records, not emails.
- C
Run an nmap scan against the mail server
Why wrong: Nmap reveals open ports and services, not email addresses.
- D
Use Google dorking to find publicly exposed email lists
Google dorks can locate files containing email addresses.
A penetration tester is analyzing a Windows 10 system and runs the following command to dump password hashes from the SAM database. The output shows hashes for local users but some are missing. Which step is most likely missing?
Trap 1: Run the tool as Administrator
Administrator privileges are required but not sufficient to read the locked SAM file directly.
Trap 2: Use reg.exe save to export SAM hive
The SAM hive is locked when the OS is running; reg save may fail without admin privileges or VSS.
Trap 3: Enable SeDebugPrivilege for the current process
SeDebugPrivilege is needed for process injection but does not unlock the SAM file.
- A
Run the tool as Administrator
Why wrong: Administrator privileges are required but not sufficient to read the locked SAM file directly.
- B
Use reg.exe save to export SAM hive
Why wrong: The SAM hive is locked when the OS is running; reg save may fail without admin privileges or VSS.
- C
Create a Volume Shadow Copy to access SAM file
VSS provides a read-only snapshot of the SAM file, bypassing the OS lock.
- D
Enable SeDebugPrivilege for the current process
Why wrong: SeDebugPrivilege is needed for process injection but does not unlock the SAM file.
A penetration tester is assessing the security of a smart building's IoT infrastructure. The building uses Zigbee sensors for temperature and motion detection, and some devices communicate using MQTT over Wi-Fi. During the assessment, the tester captures traffic and notices that some Zigbee devices are sending unencrypted frames containing sensor IDs and values. Which TWO actions should the tester recommend to mitigate the identified vulnerabilities? (Choose two.)
Trap 1: Disable encryption on MQTT to reduce latency and improve…
Disabling encryption increases vulnerability.
Trap 2: Implement device authentication using pre-shared keys only for…
Authentication alone does not encrypt the payload.
Trap 3: Segment the IoT devices into a separate VLAN and restrict access…
Segmentation limits exposure but does not encrypt the data.
- A
Enable Zigbee security suite (AES-128 encryption) on all sensor devices.
Zigbee supports encryption; enabling it protects data in transit.
- B
Configure MQTT to use TLS 1.2 with mutual authentication between brokers and clients.
TLS encrypts MQTT traffic, preventing sniffing.
- C
Disable encryption on MQTT to reduce latency and improve performance.
Why wrong: Disabling encryption increases vulnerability.
- D
Implement device authentication using pre-shared keys only for Zigbee devices.
Why wrong: Authentication alone does not encrypt the payload.
- E
Segment the IoT devices into a separate VLAN and restrict access with ACLs.
Why wrong: Segmentation limits exposure but does not encrypt the data.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.