CCNA Introduction to Ethical Hacking Questions

13 questions · Introduction to Ethical Hacking · All types, answers revealed

1
MCQmedium

A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?

A.TCP connect scan
B.UDP scan
C.SYN scan
D.FIN scan
AnswerC

SYN scan sends SYN packets; lack of SYN-ACK indicates filtered/closed ports.

Why this answer

C is correct because a SYN scan (also known as a half-open scan) sends TCP SYN packets to target ports and does not complete the three-way handshake. If no SYN-ACK is returned, it indicates the port is filtered or the host is not responding, which matches the scenario where the attacker receives no SYN-ACK responses. This scan is stealthier than a full TCP connect scan because it never establishes a full connection.

Exam trap

The trap here is that candidates often confuse SYN scan with TCP connect scan, thinking that any TCP scan must complete the handshake, but the key distinction is that SYN scan never sends the final ACK, making it half-open and stealthier.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK) and would result in SYN-ACK responses for open ports, not the absence of them. Option B is wrong because a UDP scan sends UDP packets, not TCP SYN packets, and relies on ICMP unreachable messages or lack of response, not TCP SYN-ACK behavior. Option D is wrong because a FIN scan sends TCP packets with the FIN flag set, not SYN packets, and expects RST responses for closed ports, not SYN-ACKs.

2
Matchingmedium

Match each IDS/IPS term to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alert on benign activity

Failing to detect an actual attack

Detects known attack patterns

Detects deviations from normal behavior

Decoy system to attract attackers

Why these pairings

These concepts are essential for understanding intrusion detection and prevention.

3
MCQhard

Based on the exhibit, what type of attack is being attempted?

A.Directory Traversal
B.Command Injection
C.SQL Injection
D.Cross-Site Scripting
AnswerA

The encoded path attempts to access /etc/passwd via traversal.

Why this answer

The exhibit shows a URL parameter (e.g., `?file=../../etc/passwd`) that uses `../` sequences to traverse outside the web root directory. This is the classic signature of a directory traversal attack, which attempts to access restricted files like `/etc/passwd` by manipulating file path references. The attack exploits insufficient input validation in the application's file retrieval logic.

Exam trap

The trap here is that candidates often confuse directory traversal with command injection because both involve manipulating input to access system resources, but directory traversal uses path sequences (`../`) while command injection uses shell metacharacters (`;`, `|`, `&`).

How to eliminate wrong answers

Option B is wrong because command injection requires the injection of OS commands (e.g., `; ls` or `| cat /etc/passwd`) into a parameter that is passed to a system shell, not path traversal sequences. Option C is wrong because SQL injection involves injecting SQL syntax (e.g., `' OR 1=1 --`) into database queries, not file path manipulation. Option D is wrong because cross-site scripting (XSS) injects client-side scripts (e.g., `<script>alert(1)</script>`) into web pages, not directory path patterns.

4
MCQhard

Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the port is reachable but no service is listening?

A.open
B.closed
C.filtered
D.unfiltered
AnswerB

Closed means reachable but no service listening.

Why this answer

Option B is correct because a 'closed' port in Nmap indicates that the target host responded with a TCP RST (Reset) packet, meaning the port is reachable and the host is alive, but no application is listening on that port. This state confirms the port is accessible (not filtered by a firewall) yet no service is bound to it.

Exam trap

The trap here is that candidates often confuse 'closed' with 'filtered' or 'unfiltered', not realizing that a closed port specifically means the host responded with a TCP RST, proving reachability without a listening service.

How to eliminate wrong answers

Option A is wrong because an 'open' port means a service is actively listening and has responded with a SYN-ACK, not that no service is listening. Option C is wrong because 'filtered' means Nmap cannot determine if the port is open or closed due to packet filtering (e.g., firewall dropping probes), so the port may or may not be reachable. Option D is wrong because 'unfiltered' means the port is reachable but Nmap cannot determine its open/closed state (e.g., from an ACK scan), not that no service is listening.

5
MCQeasy

You are a penetration tester hired by a financial services company to assess the security of their external web application. The application is a customer portal hosted on a Linux server with Apache 2.4.6 and PHP 7.2. During reconnaissance, you discover that the server responds to HTTP OPTIONS requests and the Allow header includes PUT and DELETE methods. The application uses a MySQL database backend. You also find a file upload feature in the profile section that accepts JPEG images. While testing, you notice that uploading a file with a .php extension returns a '403 Forbidden' error, but uploading a file with .php5 or .phtml extension succeeds. The uploaded files are stored in /uploads/ directory. What should be your next step to escalate the attack?

A.Use the PUT method to upload a malicious file directly to the web root.
B.Upload a PHP web shell with .phtml extension and access it via the /uploads/ directory to execute commands.
C.Exploit the IIS WebDAV vulnerability to execute commands.
D.Attempt SQL injection in the login form to extract database credentials.
AnswerB

This leverages the upload bypass to achieve code execution.

Why this answer

Option B is correct because the server allows file uploads with .phtml extension, which Apache processes as PHP due to its configuration. Uploading a PHP web shell with .phtml extension to the /uploads/ directory and accessing it directly allows command execution, escalating the attack. This bypasses the 403 Forbidden restriction on .php files while leveraging the existing upload functionality.

Exam trap

The trap here is that candidates may assume PUT method (Option A) is the primary escalation path because it is listed in the Allow header, but they overlook that the file upload feature with .phtml extension is a confirmed, working vector that directly leads to code execution.

How to eliminate wrong answers

Option A is wrong because the PUT method, while listed in the Allow header, typically requires WebDAV to be enabled on Apache, and direct PUT to web root is often restricted by server configuration or requires authentication; it is not a reliable escalation path without further evidence. Option C is wrong because IIS WebDAV vulnerability is specific to Microsoft IIS servers, not Apache on Linux; the server is running Apache 2.4.6 on Linux, so this option is irrelevant. Option D is wrong because SQL injection in the login form is a separate attack vector that may be possible but is not the immediate next step given the confirmed file upload vulnerability with .phtml extension; the question asks for escalation based on the discovered upload flaw.

6
Drag & Dropmedium

Drag and drop the steps to set up a reverse shell using Netcat into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Listener first, then victim connects, shell access, execute, cleanup.

7
Multi-Selectmedium

Which THREE of the following are essential phases in the ethical hacking methodology as defined by EC-Council?

Select 3 answers
A.Maintaining Access
B.Scanning
C.Enumeration
D.Reconnaissance
E.Social Engineering
AnswersA, B, D

Maintaining Access is a phase after gaining initial entry.

Why this answer

Maintaining Access is a core phase in the EC-Council ethical hacking methodology because after gaining initial access, the attacker must ensure persistent control over the target system. This involves installing backdoors, rootkits, or creating privileged user accounts to bypass re-authentication. Without this phase, the penetration test would not simulate a real-world advanced persistent threat (APT) scenario.

Exam trap

The trap here is that candidates confuse enumeration as a distinct phase when it is actually a sub-component of the Scanning phase, and they mistake social engineering for a phase rather than recognizing it as a technique that can be used within Reconnaissance or Gaining Access.

8
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments as defined by IANA.

9
MCQhard

During a penetration test, an ethical hacker needs to evade an IDS that detects port scans based on the number of packets per second. Which technique would be most effective to avoid detection?

A.Use random source ports
B.Use a decoy scan
C.Slow down the scan rate
D.Use fragmented packets
AnswerC

Reducing packets per second avoids triggering rate-based IDS thresholds.

Why this answer

Option C is correct because slowing down the scan rate reduces the number of packets sent per second below the IDS threshold, allowing the scan to blend in with normal traffic. IDS systems like Snort use packet-per-second (pps) counters to detect port scans; by spacing out packets over a longer period, the scan avoids triggering these rate-based alerts.

Exam trap

EC-Council often tests the misconception that fragmentation alone evades IDS, but candidates must remember that rate-based detection counts packets regardless of fragmentation, so slowing the scan is the direct countermeasure.

How to eliminate wrong answers

Option A is wrong because randomizing source ports does not affect the packet-per-second rate; the IDS still counts the same number of packets in the same time window, so detection is not avoided. Option B is wrong because a decoy scan (e.g., using -D in Nmap) sends spoofed packets from multiple IPs, but the total packet rate from the attacker's IP remains unchanged, so the IDS can still detect the scan based on pps. Option D is wrong because fragmented packets (e.g., using -f in Nmap) split TCP headers across multiple IP fragments, but the IDS can reassemble them and still count the total number of packets per second, so the rate-based detection is not bypassed.

10
Drag & Dropmedium

Drag and drop the steps to perform a TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The TCP three-way handshake establishes a connection: SYN, SYN-ACK, ACK, then data transfer.

11
MCQmedium

You are an ethical hacker hired to assess the security of a mid-sized company's internal network. The company has three departments: Sales, Engineering, and HR, each on separate VLANs. The network uses a single firewall with default-deny rules, but inter-VLAN routing is allowed for specific ports (e.g., HR needs to access Sales database on TCP 1433). During reconnaissance, you discover that the Engineering VLAN has a web server running on port 80 that is accessible from all VLANs. You also find that the Sales VLAN has a file share (SMB) on port 445 that is accessible only from HR. The firewall logs show numerous failed SSH attempts from an external IP to the Engineering web server. Which action should you recommend as the most effective immediate step to reduce the attack surface?

A.Implement a password policy requiring complex passwords for all users.
B.Enable two-factor authentication on the web server.
C.Apply the latest security patches to the web server.
D.Restrict access to the Engineering web server to only the Engineering VLAN.
AnswerD

This immediately reduces the attack surface by limiting unnecessary access.

Why this answer

Option D is correct because the Engineering web server is unnecessarily exposed to all VLANs, including potentially compromised segments. By restricting access to only the Engineering VLAN, you eliminate the attack surface from the Sales and HR VLANs, which is the most immediate and effective reduction in exposure. This aligns with the principle of least privilege and network segmentation, directly mitigating the risk of lateral movement from other VLANs.

Exam trap

The trap here is that candidates focus on the external SSH attacks (which are irrelevant to internal VLAN exposure) and choose patching or authentication improvements, missing that the core issue is unnecessary network-level access from other internal segments.

How to eliminate wrong answers

Option A is wrong because implementing a complex password policy does not address the immediate risk of the web server being accessible from all VLANs; it is a general security hygiene measure that does not reduce the current attack surface. Option B is wrong because enabling two-factor authentication on the web server would protect authentication but does not prevent unauthorized network-level access from other VLANs; the server remains reachable and could still be targeted by exploits or reconnaissance. Option C is wrong because applying the latest security patches, while important, does not reduce the attack surface; the server remains exposed to all VLANs, and a zero-day or unpatched vulnerability could still be exploited from any segment.

12
Multi-Selectmedium

Which TWO of the following are recognized phases of the Ethical Hacking process? (Select TWO.)

Select 2 answers
A.Maintaining Access
B.Scanning
C.Reconnaissance
D.Hiding Evidence
E.Cracking
AnswersA, C

Maintaining Access is a phase after gaining access.

Why this answer

Maintaining Access is a recognized phase in the Ethical Hacking process, as defined by the EC-Council's CEH methodology. After gaining initial access, the ethical hacker must establish persistent access to the target system, often by installing backdoors, rootkits, or creating user accounts. This phase ensures the hacker can return to the system without repeating the exploitation steps, which is critical for simulating a real attacker's long-term presence.

Exam trap

EC-Council often tests the distinction between 'Scanning' and 'Reconnaissance' as separate phases, but the CEH methodology treats Scanning as part of the Reconnaissance phase, not a standalone phase; the trap here is that candidates may incorrectly select Scanning as a separate phase because it is a distinct activity, but the official CEH phases list Reconnaissance as the first phase, encompassing both passive and active scanning.

13
MCQeasy

A company wants to test the security of its web application by simulating attacks from an external perspective. They have no prior knowledge of the internal network or application architecture. Which type of test should they perform?

A.Black-box test
B.White-box test
C.Red team engagement
D.Gray-box test
AnswerA

Black-box test simulates an external attacker with no prior knowledge.

Why this answer

A black-box test is the correct choice because the company has no prior knowledge of the internal network or application architecture. This simulates an external attacker with zero insider information, testing the application from an outsider's perspective without access to source code, network diagrams, or credentials. The test relies solely on publicly available information and direct interaction with the application's interfaces.

Exam trap

The trap here is that candidates often confuse 'black-box test' with 'red team engagement', but red team engagements are broader and may include internal knowledge or physical attacks, whereas a black-box test strictly limits information to what is publicly available.

How to eliminate wrong answers

Option B (White-box test) is wrong because it requires full knowledge of the internal architecture, source code, and network design, which contradicts the 'no prior knowledge' condition. Option C (Red team engagement) is wrong because it is a broader, goal-oriented simulation that often includes social engineering and physical breaches, not solely an external web application test without internal knowledge. Option D (Gray-box test) is wrong because it involves partial knowledge (e.g., credentials or API documentation), which the company explicitly lacks.

Ready to test yourself?

Try a timed practice session using only Introduction to Ethical Hacking questions.