Back to Certified Ethical Hacker CEH questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Certified Ethical Hacker CEH practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CEH
exam code
EC-Council
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CEH topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

Refer to the exhibit. An attacker gains access to the user's workstation and wants to find a file containing passwords. Which file is most likely to contain credentials?

Exhibit

Refer to the exhibit.

Exhibit:
C:\Users\jdoe> net user jdoe /domain
The request will be processed at a domain controller for domain corp.xyz.com.

User name                    jdoe
Full Name                    John Doe
Comment
User's comment
Country code                 001 (United States)
Account active               Yes
Account expires              Never

Password last set            6/15/2024 9:30:00 AM
Password expires             9/13/2024 9:30:00 AM
Password changeable          6/16/2024 9:30:00 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 logon.bat
User profile
Home directory               \\fileserver\home\jdoe
Last logon                   7/10/2024 2:15:00 PM

Logon hours allowed          All

Local Group Memberships      *Domain Users
Global Group memberships     *Domain Users
The command completed successfully.
Question 2mediummultiple choice
Full question →

An ethical hacker runs the command shown in the exhibit. Which of the following conclusions can be drawn from the output?

Exhibit

Refer to the exhibit.

```
C:\Users\tester> nslookup -type=MX exampledomain.com
Server:  dns.example.com
Address:  192.168.1.1

exampledomain.com
        MX preference = 10, mail exchanger = mail1.exampledomain.com
        MX preference = 20, mail exchanger = mail2.exampledomain.com
```
Question 3hardmultiple choice
Read the full wireless explanation →

Refer to the exhibit. During a wireless audit, you capture a beacon frame from a corporate access point. What is the most significant security concern based on this information?

Exhibit

Refer to the exhibit.

```
Wireless Capture: Beacon Frame
SSID: CorpNet
Security: WPA2-PSK
BSSID: 00:11:22:33:44:55
Channel: 6
RSN Information:
  Pairwise Ciphers: CCMP
  Group Cipher: TKIP
```
Question 4easymultiple choice
Full question →

Refer to the exhibit. An attacker runs the nslookup command shown. What information has been gathered?

Exhibit

Refer to the exhibit.

C:\>nslookup -type=MX example.com
Server:  dns.example.com
Address:  192.0.2.10

example.com     MX preference = 10, mail exchanger = mail1.example.com
example.com     MX preference = 20, mail exchanger = mail2.example.com
Question 5mediummultiple choice
Full question →

A security analyst reviews the iptables firewall configuration on a Linux server acting as a gateway for a small office. The server has two interfaces: eth0 (external) and eth1 (internal, 192.168.1.0/24). Based on the exhibit, which of the following is a valid security concern?

Network Topology
lo * 0.0.0.0/00 0 ACCEPT alleth0 eth1 192.168.1.0/24eth1 eth0 0.0.0.0/00 0 ACCEPT tcp0 0 ACCEPT udp100 5400 DROP alleth0 * 0.0.0.0/0Refer to the exhibit.# iptables -L -n -v
Question 6easymultiple choice
Full question →

Refer to the exhibit. A security analyst runs netstat on a compromised Windows machine. Based on the output, which process is most likely associated with the malicious activity?

Exhibit

Refer to the exhibit.

C:\Users\Admin>netstat -anob

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     203.0.113.5:4444       ESTABLISHED     1234
  TCP    192.168.1.10:49153     198.51.100.20:80       TIME_WAIT       5678
  [svchost.exe]
  TCP    192.168.1.10:49154     203.0.113.5:4444       ESTABLISHED     1234
  [explorer.exe]
Question 7hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A security analyst reviews the firewall log and notices that user jdoe accessed a file server via SMB (port 445) from an internal IP (10.0.0.45) that is not the usual file server subnet. Which type of social engineering attack is most likely being attempted?

Exhibit

Refer to the exhibit.

```
Firewall Log:
Date: 2023-10-12
Time: 14:23:45
Source IP: 10.0.0.45
Destination IP: 192.168.1.100
Protocol: TCP
Port: 445
Action: ALLOW
User: jdoe
Reason: Rule ID 3 (SMB access to file server)
```

Exhibit:
Question 8hardmultiple choice
Full question →

Based on the exhibit, what type of attack is being attempted?

Exhibit

Refer to the exhibit.

192.168.1.10   - - [01/Oct/2023:13:55:36 -0400] "GET /index.html HTTP/1.1" 200 2326
192.168.1.10   - - [01/Oct/2023:13:55:37 -0400] "GET /admin/login.php HTTP/1.1" 404 169
192.168.1.10   - - [01/Oct/2023:13:55:38 -0400] "GET /admin/ HTTP/1.1" 403 195
192.168.1.10   - - [01/Oct/2023:13:55:39 -0400] "GET /images/..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1" 200 523
192.168.1.10   - - [01/Oct/2023:13:55:40 -0400] "GET /cgi-bin/test.cgi HTTP/1.1" 200 89
Question 9mediummultiple choice
Full question →

During a penetration test, you are tasked with performing footprinting on a target organization. You have identified the target's IP range 192.168.1.0/24. Which of the following techniques would provide the most comprehensive information about the target's network topology and potential entry points?

Question 10easymultiple choice
Full question →

Refer to the exhibit. A penetration tester runs the above Nmap scan. Which of the following statements is most accurate regarding the state of port 3389?

Exhibit

Refer to the exhibit.

```
$ sudo nmap -sS -sV -O -p 1-1000 192.168.1.10
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 192.168.1.10
Host is up (0.0012s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http            Apache httpd 2.4.52
443/tcp  open     ssl/http        Apache httpd 2.4.52
3389/tcp filtered ms-wbt-server
8080/tcp open     http-proxy      Apache httpd 2.4.52
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 1 hop
```
Question 11mediummultiple choice
Full question →

Refer to the exhibit. An analyst suspects that the downloaded file 'update.exe' may have been tampered with. The vendor's official website lists the SHA256 hash as 4e7c2a8f9b3d1e5f6a0c8b7d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f. What should the analyst conclude?

Exhibit

Refer to the exhibit.

---
C:\> certutil -hashfile C:\Users\Admin\Downloads\update.exe SHA256
SHA256 hash of C:\Users\Admin\Downloads\update.exe:
4e7c2a8f9b3d1e5f6a0c8b7d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f
---
Question 12hardmultiple choice
Full question →

Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the port is reachable but no service is listening?

Exhibit

Refer to the exhibit.
```
$ nmap -sS -T4 -p 22,80,443 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.10
Host is up (0.0012s latency).

PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
443/tcp closed   https

Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds
```
Question 13mediummultiple choice
Full question →

Refer to the exhibit. An Nmap scan shows that port 80 is 'filtered' while ports 22 and 443 are 'open'. What does the 'filtered' state indicate?

Exhibit

Refer to the exhibit.
```
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-25 14:22 EDT
Nmap scan report for 10.10.1.45
Host is up (0.045s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   filtered http
443/tcp  open     https
```
Question 14easymultiple choice
Read the full NAT/PAT explanation →

You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?

Question 15hardmultiple choice
Full question →

Refer to the exhibit. A security analyst runs ping and arp commands. What is the most likely attack occurring?

Network Topology
Interface:0x4Refer to the exhibit.C:\Users\Admin>ping 10.0.0.1Ping statistics for 10.0.0.1:C:\Users\Admin>arp -aInternet Address Physical Address Type192.168.1.1 aa-bb-cc-11-22-33 dynamic10.0.0.1 aa-bb-cc-11-22-33 dynamic192.168.1.102 dd-ee-ff-44-55-66 dynamic

These CEH practice questions are part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style CEH questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.