CCNA Ceh Recon Scanning Questions

75 of 155 questions · Page 2/3 · Ceh Recon Scanning topic · Answers revealed

76
MCQmedium

During a penetration test, a tester runs 'dnsrecon -d example.com -t axfr' and receives a full list of DNS records. What does this indicate about the target's DNS configuration?

A.The DNS server has DNSSEC enabled
B.The DNS server allows recursive queries
C.The DNS server allows zone transfers from any host
D.The DNS server is authoritative for the domain
AnswerC

A successful axfr means the server is configured to allow zone transfers to unauthorized hosts.

Why this answer

The 'dnsrecon -d example.com -t axfr' command performs a DNS zone transfer (AXFR) request. Receiving a full list of DNS records indicates that the target DNS server is misconfigured to allow zone transfers from any host, which exposes the entire DNS zone data (including internal hostnames and IP addresses) to unauthorized parties. This is a critical information disclosure vulnerability.

Exam trap

The trap here is that candidates confuse 'authoritative' with 'vulnerable' — being authoritative is normal, but allowing unrestricted zone transfers is the misconfiguration; EC-Council often tests this by making option D sound correct because the server is authoritative, but the real issue is the lack of access control on the AXFR query.

How to eliminate wrong answers

Option A is wrong because DNSSEC (DNS Security Extensions) provides data integrity and authentication via digital signatures, but it does not control or prevent zone transfers; a server can have DNSSEC enabled and still allow unauthorized AXFR. Option B is wrong because recursive queries allow the DNS server to resolve queries for external domains on behalf of clients, which is a separate setting (often controlled by 'allow-recursion') and not directly related to zone transfer permissions. Option D is wrong because being authoritative for a domain means the server holds the official zone data for that domain, which is normal and expected; the security issue is not that it is authoritative, but that it allows zone transfers from any host without restriction.

77
MCQeasy

Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?

A.site:admin login
B.filetype:pdf admin login
C.intitle:"login" inurl:admin
D.inurl:"admin" inurl:"login"
AnswerD

inurl:admin finds URLs containing 'admin', and inurl:login finds URLs containing 'login'. Combined, they find login pages with 'admin' in the URL.

Why this answer

Option D is correct because the Google dork `inurl:"admin" inurl:"login"` specifically searches for pages where both 'admin' and 'login' appear in the URL. This is a precise way to find login pages on administrative interfaces, as it targets URLs containing both terms, which is a common pattern for admin login portals.

Exam trap

The trap here is that candidates often choose `intitle:"login" inurl:admin` (Option C) thinking it's more comprehensive, but they overlook that many admin login pages do not have 'login' in the HTML title tag, making the `intitle:` operator too restrictive for this specific goal.

How to eliminate wrong answers

Option A is wrong because `site:admin login` is not a valid Google dork; `site:` requires a domain name, not a keyword, and 'admin login' as a search phrase would just match pages containing those words anywhere, not specifically in the URL. Option B is wrong because `filetype:pdf admin login` restricts results to PDF files, which is irrelevant for finding login pages (typically HTML/ASPX/PHP), and the terms 'admin' and 'login' are searched in the page content, not the URL. Option C is wrong because `intitle:"login" inurl:admin` searches for pages with 'login' in the title and 'admin' in the URL, but this misses pages where 'login' is only in the URL (not the title), which is common for many admin login pages.

78
MCQmedium

During a reconnaissance phase, a tester uses `dnsrecon -d example.com -t axfr`. What specific DNS query is being attempted?

A.A subdomain brute-force
B.A zone transfer request
C.A reverse DNS lookup
D.A SRV record enumeration
AnswerB

-t axfr specifies a zone transfer attempt.

Why this answer

The `-t axfr` flag in `dnsrecon` specifies a zone transfer request (AXFR). This query attempts to retrieve the entire DNS zone file from a nameserver, which can reveal all DNS records for the domain. A successful zone transfer is a critical misconfiguration because it exposes internal network topology and hostnames.

Exam trap

The trap here is that candidates may confuse `-t axfr` with other reconnaissance techniques like brute-forcing or record enumeration, but the CEH exam specifically tests the exact command flag for zone transfers.

How to eliminate wrong answers

Option A is wrong because a subdomain brute-force uses a wordlist to guess subdomains, not the AXFR query type. Option C is wrong because a reverse DNS lookup queries an IP address for a PTR record, not a domain for a zone transfer. Option D is wrong because SRV record enumeration uses the `-t srv` flag or similar, not `-t axfr`, which is specific to zone transfers.

79
MCQmedium

Which Google dork query would an attacker most likely use to find login pages on a web server?

A.inurl:admin
B.intitle:login
C.site:example.com filetype:pdf
D.link:example.com
AnswerB

This directly finds pages with 'login' in the title.

Why this answer

Option B is correct because the Google dork 'intitle:login' specifically searches for web pages where the word 'login' appears in the HTML title tag. Attackers use this to quickly discover login portals, as many web applications include 'login' in the page title, making it a reliable footprinting technique for identifying authentication interfaces.

Exam trap

The trap here is that candidates often confuse 'inurl:admin' with login page discovery, but 'admin' in the URL typically points to administrative backends rather than user login portals, which are more commonly identified by the title tag containing 'login'.

How to eliminate wrong answers

Option A is wrong because 'inurl:admin' searches for URLs containing 'admin', which may return admin panels or directories but is less specific to login pages and often yields broader results like admin dashboards or configuration pages. Option C is wrong because 'site:example.com filetype:pdf' restricts results to PDF files on a specific domain, which is useful for document discovery but not for finding login pages. Option D is wrong because 'link:example.com' is a deprecated Google operator that lists pages linking to a given URL, not a method for locating login pages on the target server.

80
MCQmedium

During a penetration test, you execute a DNS zone transfer request against a target domain and succeed. Which type of DNS record would you expect to reveal the mail servers for the domain?

A.CNAME record
B.MX record
C.A record
D.NS record
AnswerB

MX records direct email to the correct mail servers.

Why this answer

An MX (Mail Exchange) record is the DNS record type that specifies the mail servers responsible for accepting email messages on behalf of a domain. During a successful DNS zone transfer, the full zone file is retrieved, and MX records are included, directly revealing the domain's mail server hostnames and priority values.

Exam trap

EC-Council often tests the distinction between record types by making candidates confuse the purpose of an MX record with an A record or CNAME, especially when the question involves identifying services rather than simple hostname resolution.

How to eliminate wrong answers

Option A is wrong because a CNAME (Canonical Name) record is an alias that maps one domain name to another, not a record that directly identifies mail servers. Option C is wrong because an A (Address) record maps a hostname to an IPv4 address; while it could resolve a mail server's hostname to an IP, it does not itself designate which servers handle mail for the domain. Option D is wrong because an NS (Name Server) record delegates a zone to authoritative name servers, not mail servers.

81
MCQmedium

While performing reconnaissance, a tester uses a Google dork to find login pages exposed on the internet. Which of the following is an example of a Google dork that could be used for this purpose?

A.inurl:login.php
B.site:example.com -www
C.filetype:pdf
D.link:example.com
AnswerA

This dork finds URLs containing 'login.php'.

Why this answer

Option A is correct because the Google dork 'inurl:login.php' instructs Google to return only URLs that contain the string 'login.php' in the URL path. This is a classic reconnaissance technique to discover exposed login pages, as many web applications use 'login.php' as the default authentication endpoint. The 'inurl:' operator filters search results based on the literal text in the URL, making it ideal for footprinting specific web resources.

Exam trap

EC-Council often tests the distinction between operators that search URL content ('inurl:') versus page content ('intitle:') or file types ('filetype:'), leading candidates to confuse 'filetype:pdf' as a valid dork for finding login pages when it actually targets document files.

How to eliminate wrong answers

Option B is wrong because 'site:example.com -www' restricts results to the domain 'example.com' while excluding subdomains containing 'www', which is useful for narrowing scope but does not specifically target login pages. Option C is wrong because 'filetype:pdf' limits results to PDF files, which are documents, not interactive login pages; it is used for finding documents, not web application endpoints. Option D is wrong because 'link:example.com' is a deprecated Google operator that used to find pages linking to a specific URL; it does not search for login pages and is no longer supported by Google.

82
MCQeasy

What is the primary purpose of using the Nmap flag -sS?

A.Enable OS detection
B.Perform a SYN stealth scan
C.Perform a UDP scan
D.Perform a TCP connect scan
AnswerB

-sS is the SYN stealth scan flag.

Why this answer

The Nmap flag -sS instructs Nmap to perform a SYN stealth scan, also known as a half-open scan. It sends a TCP SYN packet to the target port and, if a SYN/ACK is received, the port is considered open; the scanner then sends a RST to tear down the connection before the full TCP three-way handshake completes. This technique avoids completing the connection, making it less likely to be logged by the target's application layer and is the default scan type when run with root privileges.

Exam trap

EC-Council often tests the distinction between -sS (SYN stealth) and -sT (TCP connect), where candidates mistakenly think -sS completes the handshake or that -sT is the stealthier option.

How to eliminate wrong answers

Option A is wrong because OS detection is enabled with the -O flag, not -sS. Option C is wrong because a UDP scan is performed using the -sU flag, which sends UDP packets to target ports. Option D is wrong because a TCP connect scan uses the -sT flag, which completes the full three-way handshake using the operating system's connect() system call, unlike the half-open SYN scan.

83
Multi-Selectmedium

Which TWO OSINT tools are commonly used to gather email addresses and subdomains associated with a target domain? (Select 2)

Select 2 answers
A.Nmap
B.Nessus
C.theHarvester
D.Maltego
E.Shodan
AnswersC, D

theHarvester collects emails, subdomains, and names from search engines, PGP key servers, etc.

Why this answer

theHarvester is a dedicated OSINT tool designed to gather email addresses, subdomains, IPs, and virtual hosts from public sources such as search engines (Google, Bing), PGP key servers, and the SHODAN database. It directly queries these sources to enumerate email addresses and subdomains associated with a target domain, making it a primary choice for passive reconnaissance.

Exam trap

The trap here is that candidates often confuse Shodan as an OSINT tool for email/subdomain gathering because it is a well-known reconnaissance resource, but Shodan specifically indexes internet-facing devices and services, not domain-associated emails or subdomains.

84
Multi-Selecthard

A penetration tester runs `nmap -sS -sV -O -p- 192.168.1.10` and receives the following output snippet: 'PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 80/tcp open http Apache httpd 2.4.6 443/tcp open ssl/http Apache httpd 2.4.6'. Which THREE pieces of information can the tester derive from this output? (Choose 3)

Select 3 answers
A.The target has a vulnerability in OpenSSH 7.4
B.The -sV flag was used for version detection
C.The Apache server version is 2.4.6
D.The target is vulnerable to the Heartbleed bug
E.The target is running a Linux-based operating system
AnswersB, C, E

The presence of version numbers in the output indicates -sV was used.

Why this answer

Option B is correct because the `-sV` flag in Nmap explicitly enables version detection, which probes open ports to determine the service and version information displayed in the output (e.g., 'OpenSSH 7.4', 'Apache httpd 2.4.6'). Without `-sV`, Nmap would only report the service name based on its port mapping (e.g., 'ssh', 'http'), not the specific version numbers.

Exam trap

The trap here is that candidates assume version numbers automatically imply a vulnerability (like Heartbleed or an OpenSSH flaw) without recognizing that Nmap output only reports versions, not exploitability, and that Heartbleed is specific to OpenSSL, not Apache or OpenSSH.

85
MCQeasy

A penetration tester uses theHarvester to gather information about a target domain. Which of the following data types is theHarvester PRIMARILY designed to collect?

A.Live network traffic captures
B.Passwords hashes
C.Email addresses and subdomains
D.Vulnerability scan results
AnswerC

Its primary purpose is to gather emails and subdomains associated with a domain.

Why this answer

theHarvester is an open-source intelligence (OSINT) tool designed to perform passive reconnaissance by querying public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API. Its primary function is to collect email addresses, subdomains, IP addresses, and virtual hosts associated with a target domain, aiding in the footprinting phase of a penetration test.

Exam trap

The trap here is that candidates confuse theHarvester's passive OSINT collection with active scanning or exploitation tools, leading them to select options related to network traffic, password cracking, or vulnerability scanning.

How to eliminate wrong answers

Option A is wrong because theHarvester does not capture live network traffic; that is the function of packet sniffers like tcpdump or Wireshark, which operate at the data-link layer. Option B is wrong because theHarvester does not extract password hashes; hash retrieval is typically performed by tools like Hashcat or John the Ripper after obtaining a password database dump. Option D is wrong because theHarvester does not perform vulnerability scanning; vulnerability assessment is done by tools like Nessus or OpenVAS, which actively probe services for known CVEs.

86
MCQhard

A penetration tester is trying to evade an IDS that detects out-of-order TCP packets. The tester uses Nmap with the -f flag. What is the PRIMARY effect of this flag?

A.Splits the TCP header into multiple packets to bypass simple packet filters
B.Slows down the scan to avoid triggering rate-based alarms
C.Sends packets from multiple decoy IP addresses to obscure the source
D.Spoofs the source IP address to hide the attacker's identity
AnswerA

Fragmenting packets can evade IDS that don't reassemble fragments before inspection.

Why this answer

The `-f` flag in Nmap fragments the IP packet into smaller pieces, typically 8-byte fragments, which splits the TCP header across multiple packets. This fragmentation causes the IDS to see out-of-order or incomplete TCP headers, making it harder for signature-based detection to reassemble and match malicious patterns, thus bypassing simple packet filters that do not perform full TCP reassembly.

Exam trap

The trap here is that candidates often confuse the `-f` flag with decoy or spoofing techniques, but the primary effect is fragmentation to evade packet filters and simple IDS, not to hide the source IP or slow the scan.

How to eliminate wrong answers

Option B is wrong because the `-f` flag does not control scan timing; slowing down to avoid rate-based alarms is achieved with the `-T` (timing) flags, such as `-T0` or `-T1`. Option C is wrong because sending packets from multiple decoy IP addresses is the function of the `-D` (decoy) flag, not `-f`. Option D is wrong because spoofing the source IP address is done with the `-S` flag or by using a spoofed source address in raw packets, not by fragmentation.

87
Multi-Selectmedium

Which TWO of the following techniques are considered passive reconnaissance? (Select exactly 2.)

Select 2 answers
A.Performing a WHOIS lookup
B.Connecting to a web server to grab its banner
C.Sending ICMP echo requests to a target
D.Using Google dorks to find exposed files
E.Running a Nmap SYN scan
AnswersA, D

WHOIS queries public databases, no direct interaction with target.

Why this answer

A WHOIS lookup queries public databases (e.g., whois.arin.net) to retrieve registration details for domains or IP blocks. This process does not send any packets directly to the target system; it relies on third-party servers, making it a passive reconnaissance technique.

Exam trap

EC-Council often tests the distinction that any technique involving direct interaction with the target's network stack (even a single packet or connection) is active, while passive methods rely on third-party sources or pre-existing data.

88
MCQeasy

A security analyst wants to gather information about a target domain using publicly available sources without directly interacting with the target’s systems. Which type of reconnaissance is being performed?

A.Vulnerability scanning
B.Social engineering
C.Active reconnaissance
D.Passive reconnaissance
AnswerD

Passive reconnaissance uses publicly available information without direct interaction.

Why this answer

Passive reconnaissance involves collecting information about a target from publicly available sources without sending any packets or making direct contact with the target's systems. This approach relies on open-source intelligence (OSINT) such as WHOIS records, DNS lookups, search engines, and social media, ensuring no footprint is left on the target's network.

Exam trap

The trap here is confusing passive reconnaissance with active reconnaissance; candidates often think any information gathering is 'active' because it involves tools, but the key distinction is whether the target's systems are directly contacted (active) or not (passive).

How to eliminate wrong answers

Option A is wrong because vulnerability scanning is an active process that sends probes (e.g., SYN packets, HTTP requests) to identify weaknesses, directly interacting with target systems. Option B is wrong because social engineering involves manipulating people to divulge information, which requires direct interaction (e.g., phishing emails, phone calls) and is not a reconnaissance technique based solely on public sources. Option C is wrong because active reconnaissance involves direct engagement with the target's systems (e.g., port scanning with Nmap, banner grabbing), generating traffic that can be logged or detected.

89
Multi-Selecthard

Which THREE of the following are correct statements about DNS zone transfers?

Select 3 answers
A.A successful zone transfer reveals all DNS records for the domain
B.The tool dnsrecon can attempt a zone transfer
C.Zone transfers are encrypted by default
D.Zone transfers should be restricted to authorized secondary DNS servers
E.Zone transfers use UDP port 53
AnswersA, B, D

Zone transfers provide a complete copy of the zone data.

Why this answer

A successful DNS zone transfer (AXFR) returns the complete zone file, which contains all DNS records for the domain, including A, AAAA, MX, CNAME, NS, and TXT records. This is why it is a critical information-gathering step during reconnaissance.

Exam trap

The trap here is that candidates confuse DNS query transport (UDP 53) with zone transfer transport (TCP 53), and assume zone transfers are encrypted by default when they are not.

90
Multi-Selectmedium

Which THREE of the following are valid methods to prevent DNS zone transfer attacks? (Select 3)

Select 3 answers
A.Increase the SOA refresh interval
B.Disable recursive queries for external hosts
C.Use TSIG (Transaction Signatures) for authentication
D.Restrict zone transfers to specific IP addresses
E.Block all inbound traffic on UDP port 53
AnswersB, C, D

This prevents external hosts from using the DNS server as a resolver, but indirect benefit.

Why this answer

Option B is correct because disabling recursive queries for external hosts prevents DNS servers from being used in amplification attacks and also limits the information that can be obtained via zone transfers. Recursive queries are not required for zone transfers (which use TCP port 53), but disabling recursion for external hosts reduces the attack surface by preventing unauthorized users from querying the server for all records in a domain.

Exam trap

The trap here is that candidates often confuse the roles of UDP and TCP in DNS, incorrectly assuming that blocking UDP port 53 will stop zone transfers, when in fact zone transfers use TCP port 53 and blocking UDP 53 only breaks normal queries.

91
MCQmedium

A security analyst receives an alert from the IDS indicating a port scan originating from IP 10.0.0.5. Upon investigation, the analyst finds that 10.0.0.5 is a legitimate internal server. Which type of scan is the attacker likely using to evade detection?

A.SYN scan
B.Idle scan
C.Decoy scan
D.Fragmentation scan
AnswerC

Decoy scan includes multiple fake source IPs to hide the real attacker. The IDS may flag a decoy IP.

Why this answer

A decoy scan (option C) is the correct answer because it allows the attacker to blend their real IP address with multiple spoofed IP addresses, making it appear as though the scan originates from several hosts. In this scenario, the IDS alerts on IP 10.0.0.5, which is a legitimate internal server, indicating that the attacker is using that server's IP as a decoy to evade detection and misdirect the analyst's investigation.

Exam trap

The trap here is that candidates often confuse a decoy scan with an idle scan, mistakenly thinking that using a legitimate internal server as a decoy is the same as using a zombie host, but idle scans rely on IP ID side-channel analysis and do not involve spoofing the attacker's own traffic.

How to eliminate wrong answers

Option A is wrong because a SYN scan sends raw SYN packets and does not spoof the source IP; the attacker's real IP would be directly visible in the IDS logs, not a legitimate internal server. Option B is wrong because an idle scan (also known as a zombie scan) uses a third-party host (the zombie) with a predictable IP ID sequence to indirectly probe the target, but the scan traffic appears to come from the zombie, not from a legitimate internal server like 10.0.0.5. Option D is wrong because a fragmentation scan splits TCP headers into multiple small IP fragments to evade simple packet filters, but it does not alter the source IP address, so the attacker's real IP would still be logged.

92
MCQmedium

A penetration tester is conducting a vulnerability scan against a target network. Which of the following tools is BEST suited for this task?

A.Nessus
B.Nmap
C.Wireshark
D.Metasploit
AnswerA

Nessus is a comprehensive vulnerability scanner that checks for thousands of vulnerabilities.

Why this answer

Nessus is a dedicated vulnerability scanner that automates the process of identifying known vulnerabilities, misconfigurations, and missing patches across a target network. It uses a large plugin database (e.g., NASL scripts) to perform non-intrusive checks against services and operating systems, making it the best tool for a vulnerability scan. Unlike general-purpose tools, Nessus is specifically designed to correlate scan results with CVE entries and provide risk ratings, which is the core requirement of a vulnerability assessment.

Exam trap

The trap here is that candidates confuse network scanning (Nmap) with vulnerability scanning (Nessus), assuming that any tool that discovers open ports can also assess vulnerabilities, but CEH distinguishes between reconnaissance tools and dedicated vulnerability assessment tools.

How to eliminate wrong answers

Option B (Nmap) is wrong because Nmap is a network mapper and port scanner, not a vulnerability scanner; while it can detect open ports and services via scripts (NSE), it lacks a comprehensive vulnerability database and automated plugin-based assessment. Option C (Wireshark) is wrong because Wireshark is a packet analyzer used for deep inspection of network traffic, not for scanning systems for vulnerabilities; it captures and dissects packets but does not perform active vulnerability checks. Option D (Metasploit) is wrong because Metasploit is an exploitation framework designed to verify and exploit vulnerabilities after they are identified, not to conduct a broad vulnerability scan; using it for scanning would be inefficient and potentially destructive without prior assessment.

93
MCQmedium

A security analyst notices a large number of incomplete TCP connections (SYN_RECV) on a server. Which Nmap scan type is the MOST likely cause of this symptom?

A.SYN scan (-sS)
B.Ping sweep (-sn)
C.TCP Connect scan (-sT)
D.UDP scan (-sU)
AnswerA

SYN scan sends SYN and stops after receiving SYN-ACK, leaving the connection half-open (SYN_RECV).

Why this answer

A SYN scan (-sS) sends a SYN packet to initiate a TCP handshake and, upon receiving a SYN/ACK, sends a RST to tear down the connection before it completes. This leaves the server with half-open connections in the SYN_RECV state because the three-way handshake is never finished. The large number of incomplete connections directly matches the behavior of a SYN scan.

Exam trap

The trap here is that candidates confuse SYN scan with TCP Connect scan, assuming both complete the handshake, but SYN scan deliberately avoids the final ACK to remain stealthy, leaving the connection half-open in SYN_RECV.

How to eliminate wrong answers

Option B (Ping sweep, -sn) is wrong because it only sends ICMP echo requests or TCP/UDP probes to determine if hosts are alive, not to establish TCP connections, so it cannot produce SYN_RECV states. Option C (TCP Connect scan, -sT) is wrong because it completes the full three-way handshake (SYN, SYN/ACK, ACK) and then sends a RST, leaving the connection in ESTABLISHED state only briefly, not in SYN_RECV. Option D (UDP scan, -sU) is wrong because UDP is connectionless and does not use SYN packets or maintain connection states like SYN_RECV.

94
MCQmedium

A security team wants to identify all live hosts on a large, Class B private IP network (172.16.0.0/16) as quickly as possible while minimizing network load. Which tool and technique should they use?

A.Masscan with --ping to send ICMP echo requests across the /16 range
B.Use theHarvester to query DNS records for the domain
C.Nmap with -sn (ping sweep) on all 65536 IPs
D.hping3 with --icmp on each IP sequentially
AnswerA

Masscan can send ICMP echo requests at very high rates, making it ideal for fast host discovery on large networks.

Why this answer

Masscan is designed for high-speed scanning and can send ICMP echo requests across a /16 range (65,536 IPs) in seconds, far faster than Nmap or hping3, while its --ping mode minimizes network load by using stateless packet transmission. This makes it the optimal choice for quickly identifying live hosts on a large private network without overwhelming the network.

Exam trap

The trap here is that candidates often assume Nmap's -sn is the fastest option because it is the most commonly used ping sweep tool, but they overlook Masscan's specialized design for ultra-high-speed scanning across large ranges, which is explicitly tested in CEH questions about minimizing time and network load.

How to eliminate wrong answers

Option B is wrong because theHarvester is a tool for gathering email addresses, subdomains, and other OSINT data from public sources like search engines and DNS records, not for performing live host discovery on a private IP range. Option C is wrong because Nmap's -sn ping sweep, while effective, is significantly slower than Masscan on a /16 range due to its stateful scanning approach, which creates more network overhead and takes much longer to complete. Option D is wrong because hping3 with --icmp sends packets sequentially to each IP, which is extremely slow and inefficient for scanning 65,536 hosts, and it does not minimize network load as it requires per-packet state tracking.

95
Multi-Selectmedium

Which TWO of the following are passive reconnaissance techniques? (Select 2)

Select 2 answers
A.Performing a WHOIS lookup
B.Banner grabbing with Netcat
C.Running a TCP SYN scan with Nmap
D.Using Shodan to search for exposed devices
E.Performing a ping sweep
AnswersA, D

WHOIS queries public registration databases without sending traffic to the target's infrastructure.

Why this answer

A WHOIS lookup queries public databases (e.g., whois.arin.net) to retrieve registration details for domains or IP blocks, such as registrar, creation date, and administrative contacts. This is passive because it relies on publicly available information without sending any packets directly to the target system. The CEH defines passive reconnaissance as gathering data without interacting with the target's network or services.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by including banner grabbing (which is active because it requires a direct connection) as a distractor, leading candidates to mistakenly classify it as passive since it only reads server responses.

96
Multi-Selectmedium

Which TWO of the following are passive reconnaissance techniques?

Select 2 answers
A.Ping sweep
B.Google hacking (dorking)
C.Nmap SYN scan
D.Banner grabbing with Netcat
E.WHOIS lookup
AnswersB, E

Google dorking uses search engines to find information passively.

Why this answer

Google hacking (dorking) is a passive reconnaissance technique because it involves using advanced search operators in Google to discover publicly indexed information about a target, such as exposed configuration files or login pages, without sending any packets directly to the target's systems. It relies entirely on the search engine's pre-existing index, making it undetectable and non-intrusive. This aligns with the CEH definition of passive reconnaissance, where no direct interaction with the target occurs.

Exam trap

The trap here is that candidates often confuse 'passive' with 'stealthy' and incorrectly classify techniques like banner grabbing or SYN scans as passive because they can be performed with minimal noise, but CEH strictly defines passive reconnaissance as having zero direct interaction with the target's systems.

97
MCQmedium

A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?

A.The server is performing a DNS lookup to resolve the malicious IP address
B.The web application is sending log data to a SIEM system for analysis
C.A vulnerability discovered during the scan was exploited, establishing a reverse shell connection to the attacker
D.The vulnerability scan caused a false positive and triggered a legitimate backup process
AnswerC

Port 4444 is commonly used for reverse shells. Outbound traffic to a malicious IP on this port indicates successful exploitation and a backdoor connection.

Why this answer

Option C is correct because outbound traffic on port 4444 from an internal server to a known malicious IP is a classic indicator of a reverse shell connection. A reverse shell is a common post-exploitation technique where an attacker forces the victim server to connect back to their listener, often on high ports like 4444, bypassing inbound firewall rules. The timing after a vulnerability scan strongly suggests that a discovered vulnerability (e.g., command injection, RCE) was exploited to establish this shell.

Exam trap

The trap here is that candidates may confuse reverse shells with normal outbound traffic like DNS or backups, failing to recognize that port 4444 is a well-known Metasploit default for reverse TCP payloads and that outbound connections to malicious IPs are a hallmark of compromise.

How to eliminate wrong answers

Option A is wrong because DNS lookups use UDP or TCP port 53, not port 4444, and are not directed to a malicious IP for resolution; they query a DNS server. Option B is wrong because SIEM log forwarding typically uses ports like 514 (syslog), 1514, or 443 (HTTPS), not port 4444, and would not target a known malicious IP. Option D is wrong because a legitimate backup process would use standard backup ports (e.g., 445 for SMB, 22 for SSH, or 443 for HTTPS) and would not connect to a known malicious IP; false positives from vulnerability scans do not trigger outbound connections to attacker-controlled hosts.

98
Multi-Selectmedium

A penetration tester is conducting DNS enumeration. Which TWO of the following tools are specifically designed for DNS enumeration? (Select two)

Select 2 answers
A.dnsrecon
B.theHarvester
C.Nmap
D.Maltego
E.dnsenum
AnswersA, E

dnsrecon is a DNS enumeration tool.

Why this answer

dnsrecon is a dedicated DNS enumeration tool that performs multiple types of DNS queries (e.g., SRV, MX, SOA, zone transfer attempts) and supports brute-force subdomain discovery. It is specifically designed to gather DNS records and identify misconfigurations, making it a primary tool for DNS enumeration.

Exam trap

The trap here is that candidates often confuse general-purpose reconnaissance tools (like theHarvester or Maltego) with dedicated DNS enumeration tools, or they assume Nmap's DNS scripts make it a primary DNS enumeration tool, when in fact the question specifically asks for tools 'designed for DNS enumeration'.

99
MCQeasy

During a penetration test, a tester wants to gather email addresses, subdomains, and employee names associated with a target domain. Which of the following tools is specifically designed for such passive reconnaissance?

A.Wireshark
B.theHarvester
C.Metasploit
D.Nmap
AnswerB

theHarvester performs passive reconnaissance by querying public sources for emails, subdomains, and other information.

Why this answer

theHarvester is a passive reconnaissance tool specifically designed to gather email addresses, subdomains, employee names, and other open-source intelligence (OSINT) from public sources such as search engines (Google, Bing), PGP key servers, and the Shodan database. It operates without sending direct packets to the target, making it ideal for passive footprinting as defined in the CEH methodology.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse theHarvester with active tools like Nmap or Wireshark because they all involve network data, but only theHarvester gathers OSINT from third-party public sources without sending packets to the target.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic in real time, which is an active sniffing technique requiring interaction with the network, not a passive reconnaissance tool for gathering OSINT from public sources. Option C is wrong because Metasploit is an exploitation framework used for developing and executing active exploits against vulnerabilities, not for passive information gathering like email or subdomain enumeration. Option D is wrong because Nmap is an active scanning tool that sends crafted packets (e.g., SYN, ICMP) to discover hosts and services, which generates network traffic and is not passive reconnaissance.

100
Multi-Selectmedium

Which TWO of the following are examples of active reconnaissance techniques? (Select two)

Select 2 answers
A.Querying Shodan for open ports on a target
B.Running an Nmap SYN scan against a target
C.Searching for sensitive files using Google dorks
D.Performing a WHOIS lookup
E.Using Netcat to grab banners from a web server
AnswersB, E

Nmap sends packets to the target.

Why this answer

Option B is correct because an Nmap SYN scan (also known as a half-open scan) sends a TCP SYN packet to a target port and analyzes the response. If a SYN/ACK is received, the port is open; if an RST is received, the port is closed. This scan actively interacts with the target system by sending network traffic, making it an active reconnaissance technique.

Exam trap

The trap here is that candidates often confuse passive information-gathering tools (like Shodan, Google dorks, or WHOIS) with active techniques, because they involve querying external databases rather than directly engaging the target's systems.

101
MCQeasy

A junior penetration tester runs the command: whois example.com. What type of information are they MOST likely trying to obtain?

A.DNS zone transfer information
B.The IP address of the web server
C.Open ports on the target server
D.Domain registration details such as registrar, creation date, and contact information
AnswerD

WHOIS returns domain registration information, which is useful for footprinting.

Why this answer

The `whois` command queries a WHOIS server (typically operated by a Regional Internet Registry or domain registrar) to retrieve domain registration details. This includes the registrar name, creation and expiration dates, name servers, and often administrative/technical contact information. It is a core footprinting technique used to gather publicly available metadata about a domain owner and infrastructure.

Exam trap

EC-Council often tests the distinction between WHOIS (domain registration metadata) and DNS lookups (IP resolution), leading candidates to mistakenly associate WHOIS with IP addresses or server configuration details.

How to eliminate wrong answers

Option A is wrong because DNS zone transfer information is obtained using the `dig axfr` or `nslookup -type=axfr` command against an authoritative DNS server, not via WHOIS. Option B is wrong because while WHOIS may list name servers, it does not directly return the IP address of the web server; that requires a DNS A-record lookup using `nslookup` or `dig`. Option C is wrong because open ports are discovered through port scanning tools like Nmap, not through the WHOIS protocol, which only returns registration metadata.

102
MCQmedium

A penetration tester wants to perform a ping sweep on a /24 subnet to identify live hosts. Which command would accomplish this efficiently?

A.nmap -sn 192.168.1.0/24
B.nmap -O 192.168.1.0/24
C.nmap -p- 192.168.1.0/24
D.nmap -sV 192.168.1.0/24
AnswerA

-sn is the Nmap ping sweep flag that discovers live hosts without scanning ports.

Why this answer

Option A is correct because `nmap -sn` performs a ping sweep (host discovery) without port scanning, sending ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default. This efficiently identifies live hosts on a /24 subnet without the overhead of port scanning or OS detection.

Exam trap

The trap here is that candidates often confuse `-sn` (ping sweep) with `-sP` (deprecated alias) or assume that `-O` or `-sV` are faster because they provide more information, but they actually add significant overhead and are not designed for simple host discovery.

How to eliminate wrong answers

Option B is wrong because `-O` enables OS detection, which requires open ports and sends additional probes, making it slower and not focused on simple host discovery. Option C is wrong because `-p-` scans all 65535 TCP ports, which is a full port scan and extremely time-consuming for a /24 subnet, not a ping sweep. Option D is wrong because `-sV` performs service version detection on open ports, which requires a prior port scan and is not designed for host discovery.

103
MCQmedium

A security analyst performs a passive reconnaissance of a target domain using public resources. Which of the following techniques would be considered passive reconnaissance?

A.Using Netcat to grab banners from the target's email server
B.Running Nmap SYN scan on the target's web server
C.Performing a WHOIS lookup for the target domain
D.Sending a ping sweep to the target's public IP range
AnswerC

WHOIS queries use public databases, not direct interaction with the target.

Why this answer

Passive reconnaissance involves gathering information without directly interacting with the target's systems, thus avoiding any network traffic that could be detected. A WHOIS lookup queries a public registry database (e.g., whois.arin.net) over port 43 or via a web interface, retrieving domain registration details without sending any packets to the target's own infrastructure. This makes it a purely passive technique.

Exam trap

The trap here is that candidates confuse 'using public resources' (like WHOIS databases) with 'sending network probes' (like banner grabbing or pings), assuming any information-gathering tool is passive if it doesn't exploit vulnerabilities.

How to eliminate wrong answers

Option A is wrong because using Netcat to grab banners requires establishing a TCP connection to the target's email server (e.g., port 25), which sends packets and is an active interaction. Option B is wrong because running an Nmap SYN scan sends crafted TCP SYN packets to the target's web server and analyzes responses, which is active reconnaissance and can be logged by intrusion detection systems. Option D is wrong because sending a ping sweep involves transmitting ICMP Echo Request packets to the target's IP range, directly probing live hosts and generating detectable traffic.

104
MCQmedium

An analyst wants to perform a SYN flood attack test against a server to evaluate its resilience. Which of the following tools would be the MOST appropriate for this task?

A.Nmap
B.Shodan
C.Wireshark
D.hping3
AnswerD

hping3 can generate a high volume of SYN packets with spoofed IPs, ideal for simulating SYN flood attacks.

Why this answer

hping3 is the most appropriate tool because it is a command-line packet crafting tool that allows the user to generate custom TCP SYN packets with spoofed source IP addresses, making it ideal for simulating a SYN flood attack. Unlike other tools, hping3 can send a high volume of SYN packets without completing the three-way handshake, which is the core mechanism of a SYN flood that exhausts the server's connection queue.

Exam trap

EC-Council often tests the misconception that Nmap's SYN scan (-sS) is equivalent to a SYN flood attack, but Nmap is designed for stealthy reconnaissance with low packet rates, not for overwhelming a target with high-volume traffic.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for port discovery and service enumeration, not for generating high-volume attack traffic; it can send SYN packets for scanning but lacks the rate control and spoofing capabilities needed for a sustained SYN flood. Option B is wrong because Shodan is a search engine for internet-connected devices and does not generate any network traffic or perform attacks; it is used for reconnaissance, not exploitation. Option C is wrong because Wireshark is a packet analyzer used for capturing and inspecting network traffic, not for generating or injecting packets; it cannot initiate a SYN flood.

105
Multi-Selecteasy

Which TWO of the following are common OSINT tools for passive reconnaissance? (Select 2)

Select 2 answers
A.Metasploit
B.theHarvester
C.hping3
D.Maltego
E.Nmap
AnswersB, D

Passively gathers information from search engines, PGP keys, etc.

Why this answer

theHarvester is a passive OSINT tool that gathers email addresses, subdomains, IPs, and virtual hosts from public sources like search engines (Google, Bing), PGP key servers, and the SHODAN database without sending any packets directly to the target. This aligns with passive reconnaissance, which relies on publicly available information rather than active probing.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse tools like Nmap or hping3 (which are active) with passive OSINT tools because they are commonly used in the early stages of an engagement.

106
MCQhard

During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?

A.The DNS server is using DNSSEC to secure zone transfers
B.The DNS server is vulnerable to zone transfer attacks, allowing unauthorized users to retrieve the entire zone file
C.The DNS server is properly configured and only allows zone transfers to authorized secondary servers
D.The target uses a split-DNS configuration with internal and external views
AnswerB

A successful AXFR to an unauthenticated client indicates a misconfiguration that exposes internal network details.

Why this answer

The successful execution of `dnsrecon -d example.com -t axfr` and the receipt of an AXFR (full zone transfer) response indicates that the target DNS server is misconfigured to allow zone transfers from any host. A properly secured DNS server should restrict AXFR queries to only authorized secondary (slave) servers, typically by IP address or TSIG (Transaction Signature) keys. Since the command was run from an unauthorized client, this confirms a zone transfer vulnerability, allowing an attacker to retrieve the entire DNS zone file, which reveals all hostnames, IP addresses, and service records.

Exam trap

The trap here is that candidates may confuse DNSSEC with access control mechanisms, or assume that a successful zone transfer implies proper authorization, when in fact the CEH exam emphasizes that any successful AXFR from an unauthorized client is a critical misconfiguration and vulnerability.

How to eliminate wrong answers

Option A is wrong because DNSSEC (DNS Security Extensions) does not control or restrict zone transfers; it provides data origin authentication and integrity via digital signatures, but does not prevent AXFR queries. Option C is wrong because a properly configured DNS server would not respond to an AXFR request from an unauthorized source; the fact that the zone transfer succeeded proves the configuration is insecure, not properly configured. Option D is wrong because split-DNS (split-horizon) is a design where internal and external DNS views serve different records; it does not inherently prevent zone transfers, and the successful AXFR indicates a lack of access control, not a split configuration.

107
MCQhard

A penetration tester runs 'nmap -sS -p 80 --script http-title 192.168.1.100' and receives output indicating port 80 is 'filtered'. What does the 'filtered' state imply?

A.The port is open and a service is listening
B.A firewall is likely blocking the probe packets
C.The service is running but the script failed
D.The port is closed and no service is listening
AnswerB

Filtered indicates that probes are being dropped or blocked, often by a firewall.

Why this answer

The 'filtered' state in Nmap indicates that the probe packets (SYN packets for a SYN scan) were dropped or did not elicit any response, typically due to a firewall or packet filter. Since no SYN/ACK or RST was received, Nmap cannot determine if the port is open or closed, so it marks it as 'filtered'. This is distinct from an 'open' state (SYN/ACK received) or 'closed' state (RST received).

Exam trap

The trap here is that candidates confuse 'filtered' with 'closed' or assume it means the service is running but unreachable, when in fact 'filtered' specifically indicates the probe was blocked by a filtering device.

How to eliminate wrong answers

Option A is wrong because an open port would return a SYN/ACK, causing Nmap to report it as 'open', not 'filtered'. Option C is wrong because the 'filtered' state is determined by the scan probe response, not by the success or failure of the http-title script; the script would only run if the port were open. Option D is wrong because a closed port would send back an RST packet, leading Nmap to report it as 'closed', not 'filtered'.

108
Multi-Selectmedium

Which THREE of the following are valid Nmap port states?

Select 3 answers
A.Open
B.Filtered
C.Blocked
D.Stealth
E.Unfiltered
AnswersA, B, E

An open port has a service listening.

Why this answer

Option A is correct because Nmap classifies a port as 'open' when it receives a SYN/ACK response to a SYN probe, indicating that an application is actively listening on that port. This is the standard TCP three-way handshake behavior defined in RFC 793, and it is the most fundamental port state in Nmap's scanning logic.

Exam trap

The trap here is that candidates confuse Nmap's scanning techniques (like stealth scan) with port states, or assume 'blocked' is a valid state when it is actually a synonym for 'filtered' that Nmap does not officially use.

109
MCQmedium

A security analyst issues the command `dnsenum example.com` and receives a list of subdomains, mail servers, and name servers. What information is revealed by the presence of multiple MX records?

A.The domain has been compromised
B.The domain uses a single mail server with multiple aliases
C.The domain uses multiple mail servers for load balancing and failover
D.The domain is participating in a DDoS attack
AnswerC

Multiple MX records with different priorities provide failover.

Why this answer

Multiple MX records in a DNS zone file indicate that the domain is configured with more than one mail exchange server. This setup provides redundancy and load balancing for email delivery, as defined in RFC 5321. The `dnsenum` tool enumerates these records from the DNS server, revealing the domain's email infrastructure design.

Exam trap

The trap here is that candidates may confuse multiple MX records with multiple A records for a single hostname, or incorrectly assume that any multiplicity in DNS records indicates a security issue, rather than recognizing it as a standard high-availability design.

How to eliminate wrong answers

Option A is wrong because the presence of multiple MX records is a standard configuration for resilience, not an indicator of compromise. Option B is wrong because multiple MX records point to distinct mail servers (with different hostnames or IPs), not a single server with multiple aliases (which would be CNAME records). Option D is wrong because multiple MX records are used for legitimate email routing, not for participating in a DDoS attack; DDoS involvement would be inferred from traffic patterns, not DNS record counts.

110
MCQhard

A penetration tester runs the following Nmap command: nmap -sU -sS -p 53,161,162,500 10.0.0.1 and receives no responses for UDP scans but standard results for TCP. The tester suspects the target is dropping all UDP packets. Which Nmap option could help increase the likelihood of UDP responses by fragmenting the probe?

A.-f
B.-T4
C.--reason
D.-Pn
AnswerA

-f fragments the probe packets, potentially helping to evade detection or filters that drop undifferentiated UDP traffic.

Why this answer

The -f option fragments the probe packets into smaller IP fragments. When a target drops unfragmented UDP packets, fragmenting the probes can sometimes bypass simple packet filters or IDS/IPS that drop larger or complete UDP datagrams, increasing the chance that the target will process and respond to the fragments.

Exam trap

The trap here is that candidates often confuse -f (fragmentation) with -T4 (timing) or -Pn (no ping), assuming any option that makes the scan 'faster' or 'more aggressive' will also bypass packet drops, when in fact fragmentation is the specific technique to alter packet structure.

How to eliminate wrong answers

Option B is wrong because -T4 sets the timing template to aggressive, which increases scan speed but does not fragment packets or alter UDP probe structure. Option C is wrong because --reason simply displays the reason for Nmap's port state determination and has no effect on packet fragmentation or UDP response behavior. Option D is wrong because -Pn skips host discovery and treats the target as alive, but it does not fragment probes or change how UDP packets are constructed.

111
MCQmedium

During a vulnerability assessment, a security analyst receives an alert from the IDS that a scan with fragmented packets and spoofed source IPs is targeting the internal network. Which Nmap command MOST likely caused this alert?

A.nmap -sS -O 192.168.1.1
B.nmap -sV -p 80 192.168.1.1
C.nmap -sU 192.168.1.1
D.nmap -f -D 10.0.0.1,10.0.0.2 192.168.1.1
AnswerD

-f fragments packets, -D adds decoy IPs. This matches the IDS alert description.

Why this answer

Option D is correct because the `-f` flag fragments the packets into smaller IP fragments, and the `-D` flag performs a decoy scan by spoofing source IPs. This combination causes the IDS to detect fragmented packets with spoofed source addresses, matching the alert description.

Exam trap

The trap here is that candidates may confuse `-f` with other scan types like SYN or UDP scans, but the key is recognizing that fragmentation and spoofed source IPs are explicitly enabled by `-f` and `-D` respectively.

How to eliminate wrong answers

Option A is wrong because `-sS` (SYN scan) and `-O` (OS detection) do not fragment packets or spoof source IPs; they use raw packets with the real source IP. Option B is wrong because `-sV` (version detection) and `-p 80` target a single port without fragmentation or spoofing, generating normal TCP traffic. Option C is wrong because `-sU` (UDP scan) sends unfragmented UDP packets from the real source IP, not fragmented or spoofed traffic.

112
MCQhard

During a penetration test, a security analyst observes that Nmap SYN scans to a target server are not returning any results, but TCP connect scans succeed. The server is running an IDS. Which evasion technique is the analyst MOST likely encountering?

A.The IDS is dropping packets with the SYN flag set
B.The server is using a firewall that blocks all inbound SYN packets
C.The analyst's packets are being fragmented, causing them to be dropped
D.The target is using a honeypot that responds to all connection attempts
AnswerA

IDS can be configured to drop packets based on flags. SYN scans send only SYN, while connect scans send a full handshake; the IDS may allow the latter.

Why this answer

The IDS is configured to drop packets with only the SYN flag set, which is the hallmark of a SYN scan. This evasion technique forces the attacker to use a full TCP connect scan (which completes the three-way handshake) to bypass the IDS detection. The IDS drops the initial SYN packet, preventing the scan from receiving any response, while a full connect scan is allowed because it mimics legitimate traffic.

Exam trap

The trap here is that candidates often assume a firewall is blocking the SYN packets, but the question specifies an IDS is running, and the key distinction is that a firewall would block both scan types, while an IDS can selectively drop only half-open SYN packets to evade detection.

How to eliminate wrong answers

Option B is wrong because a firewall that blocks all inbound SYN packets would also block TCP connect scans, which rely on sending a SYN to initiate the handshake; the question states connect scans succeed, so this cannot be the case. Option C is wrong because packet fragmentation is an evasion technique used to bypass IDS/IPS signature matching, not to cause packets to be dropped; fragmented packets can still be reassembled and processed. Option D is wrong because a honeypot would respond to all connection attempts, including SYN scans, but the question states SYN scans return no results, indicating the packets are being dropped before reaching the target.

113
MCQmedium

During a penetration test, you run the command: nmap -sU -p 161,162 --script=snmp-brute 192.168.1.100. Which of the following is the PRIMARY goal of this scan?

A.Discover SNMP community strings via brute-force
B.Perform a ping sweep to discover live hosts
C.Identify open TCP ports and services on the target
D.Enumerate SNMP MIB tree values
AnswerA

The combination of UDP scan on SNMP ports with the snmp-brute script is used to brute-force community strings.

Why this answer

The command uses the `-sU` flag for a UDP scan and targets ports 161 and 162, which are the standard SNMP ports. The `--script=snmp-brute` script attempts to brute-force SNMP community strings (the equivalent of passwords for SNMPv1/v2c). Therefore, the primary goal is to discover valid community strings, which is option A.

Exam trap

The trap here is that candidates confuse the `snmp-brute` script with SNMP MIB enumeration or general service discovery, but the script's explicit purpose is to brute-force community strings, not to read MIB values or scan TCP ports.

How to eliminate wrong answers

Option B is wrong because a ping sweep typically uses ICMP echo requests (or TCP SYN to common ports) and does not involve scanning UDP ports 161/162 or running an SNMP brute-force script. Option C is wrong because `-sU` scans UDP ports, not TCP ports, and the script is specifically for SNMP brute-forcing, not service enumeration. Option D is wrong because enumerating SNMP MIB tree values is done with scripts like `snmp-info` or `snmp-interfaces`, not the `snmp-brute` script, which focuses on guessing community strings.

114
MCQmedium

A penetration tester wants to evade an IDS while scanning a target network. The tester uses the Nmap command: nmap -sS -f 10.10.10.1. What does the -f flag accomplish?

A.It increases the timing template to T5 (insane)
B.It uses an idle scan by bouncing off a zombie host
C.It sends packets with a spoofed source IP address
D.It fragments the IP packets into 8-byte fragments
AnswerD

-f fragments the packet, often into 8-byte fragments (or 24 for -ff).

Why this answer

The -f flag in Nmap instructs the tool to fragment the IP packets into 8-byte fragments (or smaller, depending on the MTU). This is a common evasion technique used to bypass Intrusion Detection Systems (IDS) and firewalls by splitting the TCP header across multiple packets, making it harder for signature-based detection to reassemble and match the scan pattern.

Exam trap

The trap here is that candidates often confuse the -f flag with other Nmap options like -T (timing), -sI (idle scan), or -S (spoofing), because they all start with a single dash and are used for evasion or stealth, but each has a distinct function.

How to eliminate wrong answers

Option A is wrong because the -f flag does not control timing; timing templates are set with -T0 through -T5 (e.g., -T5 for insane). Option B is wrong because an idle scan is performed using the -sI flag, not -f, and requires specifying a zombie host. Option C is wrong because spoofing a source IP address is achieved with the -S flag (e.g., -S 192.168.1.100), not -f.

115
MCQmedium

Which of the following OSINT techniques would be MOST effective for discovering email addresses and employee names associated with a target organization?

A.Nmap scan
B.theHarvester
C.WHOIS lookup
D.Shodan search
AnswerB

theHarvester aggregates emails and names from public sources.

Why this answer

theHarvester is specifically designed to gather emails, subdomains, IPs, and employee names from public sources like search engines, PGP key servers, and social networks.

116
MCQeasy

A security analyst wants to gather information about a target domain without sending any packets to the target. Which technique should the analyst use?

A.Ping sweep
B.WHOIS lookup
C.Netcat banner grab
D.Nmap SYN scan
AnswerB

WHOIS queries public databases without contacting the target directly.

Why this answer

WHOIS lookup is a passive reconnaissance technique that queries public databases (e.g., RDAP or WHOIS servers) for domain registration details such as registrar, creation date, and administrative contacts. It requires no packets to be sent to the target domain's infrastructure, making it ideal for information gathering without direct interaction.

Exam trap

The trap here is that candidates confuse passive reconnaissance (no packets to the target) with active scanning techniques like ping sweeps or port scans, assuming any information gathering requires direct interaction.

How to eliminate wrong answers

Option A is wrong because a ping sweep sends ICMP Echo Request packets to multiple hosts, actively probing the target network. Option C is wrong because Netcat banner grabbing requires establishing a TCP connection to a target service (e.g., HTTP, FTP) to retrieve its banner, which involves sending packets. Option D is wrong because an Nmap SYN scan sends crafted TCP SYN packets to target ports to determine their state, actively interacting with the target.

117
MCQmedium

During a penetration test, you run the following command: nmap -sV -p 80 --script http-title 192.168.1.10. The output shows that port 80 is open and the HTTP title is 'Login Portal'. Which phase of the penetration testing methodology does this activity represent?

A.Exploitation
B.Post-exploitation
C.Footprinting
D.Scanning and enumeration
AnswerD

Scanning involves actively probing systems to discover open ports, services, and other details. This aligns with the scanning and enumeration phase.

Why this answer

The nmap command with -sV (service version detection) and --script http-title performs service fingerprinting and banner grabbing on port 80, which is a core activity of the scanning and enumeration phase. This phase follows footprinting and involves actively probing target systems to discover open ports, running services, and application details like the HTTP title 'Login Portal'. It does not involve exploiting vulnerabilities (exploitation) or maintaining access (post-exploitation), nor is it passive information gathering (footprinting).

Exam trap

EC-Council often tests the distinction between footprinting and scanning/enumeration, where candidates mistakenly classify any information-gathering activity as footprinting, but the key differentiator is whether the activity involves direct interaction with the target system (scanning) versus passive collection (footprinting).

How to eliminate wrong answers

Option A is wrong because exploitation involves actively leveraging a vulnerability to gain unauthorized access, such as using a buffer overflow or SQL injection, whereas this command only gathers information about the service. Option B is wrong because post-exploitation occurs after successful exploitation and focuses on maintaining access, privilege escalation, or data exfiltration; scanning port 80 is a pre-exploitation reconnaissance step. Option C is wrong because footprinting is the initial passive or semi-passive information gathering phase (e.g., WHOIS, DNS lookups, social engineering), while this nmap command actively sends packets to the target to enumerate services, which is scanning and enumeration.

118
Multi-Selectmedium

Which TWO of the following describe the state of a port when Nmap reports it as 'filtered'? (Select 2)

Select 2 answers
A.The port is closed and the target sends a RST packet
B.The port is open and a service is listening
C.A firewall is dropping the probe packets
D.A firewall is responding with ICMP unreachable errors
E.The port is open but no service is responding
AnswersC, D

If a firewall silently drops packets, Nmap sees no response and marks the port filtered.

Why this answer

Nmap reports a port as 'filtered' when it cannot determine whether the port is open or closed because probe packets are being dropped or blocked. Option C is correct because a firewall dropping probe packets (e.g., via a DROP rule in iptables or an ACL) prevents Nmap from receiving any response, leading to a 'filtered' state. Option D is correct because a firewall responding with ICMP unreachable errors (e.g., ICMP Type 3 Code 13, 'Communication Administratively Prohibited') also causes Nmap to classify the port as 'filtered', as the response indicates a filtering device is interfering.

Exam trap

The trap here is that candidates often confuse 'filtered' with 'closed' or 'open', not realizing that 'filtered' specifically indicates a firewall or filter is interfering with the probe, rather than the port's actual listening state.

119
MCQeasy

During a vulnerability assessment, which of the following tools is a comprehensive vulnerability scanner that uses a plugin architecture to detect thousands of vulnerabilities?

A.Nessus
B.Wireshark
C.OpenVAS
D.Nmap
AnswerA

Nessus is a proprietary vulnerability scanner with a large plugin database.

Why this answer

Nessus is a comprehensive vulnerability scanner that uses a plugin-based architecture to detect thousands of vulnerabilities across a wide range of systems and services. Each plugin corresponds to a specific vulnerability check, and the Nessus engine executes them in sequence or in parallel against the target, making it highly extensible and up-to-date with the latest CVEs.

Exam trap

The trap here is that candidates confuse OpenVAS (an open-source alternative) with Nessus, but the CEH exam expects Nessus as the answer because it is the proprietary, commercial tool that originally defined the plugin-based vulnerability scanning paradigm and is widely referenced in official courseware.

How to eliminate wrong answers

Option B (Wireshark) is wrong because it is a network protocol analyzer that captures and inspects packets in real time, not a vulnerability scanner; it lacks a plugin architecture for vulnerability detection. Option C (OpenVAS) is wrong because while it is also a vulnerability scanner using a plugin-like feed (NVTs), the question asks for the tool that is 'comprehensive' and uses a 'plugin architecture' — Nessus is the industry-standard commercial tool that pioneered this model, and OpenVAS is its open-source fork, but the CEH exam specifically recognizes Nessus as the correct answer for this description. Option D (Nmap) is wrong because it is primarily a port scanner and network mapper that uses scripts (NSE) for limited vulnerability detection, not a comprehensive vulnerability scanner with a dedicated plugin architecture for thousands of vulnerabilities.

120
MCQhard

During a security assessment, a tester runs hping3 with the command: hping3 -S -p 80 -c 5 10.0.0.1. The response shows that packets with the SYN flag set receive SYN-ACK replies. Which of the following conclusions is MOST accurate?

A.Port 80 is open on 10.0.0.1
B.A firewall is blocking the scan
C.Port 80 is closed on 10.0.0.1
D.The target is using a stateful firewall that allows the connection
AnswerA

A SYN-ACK response to a SYN packet indicates an open TCP port.

Why this answer

The hping3 command with the -S flag sends TCP SYN packets to port 80 on 10.0.0.1. Receiving SYN-ACK replies indicates that the target responded with the second step of the TCP three-way handshake, which only occurs when the port is open and listening. This confirms that port 80 is open on the target host.

Exam trap

The trap here is that candidates may confuse the SYN-ACK response with firewall behavior or closed port responses, but the correct interpretation is that a SYN-ACK directly indicates an open port per TCP specification.

How to eliminate wrong answers

Option B is wrong because a firewall blocking the scan would typically drop the packets or send ICMP unreachable messages, not respond with SYN-ACKs. Option C is wrong because a closed port would respond with RST packets, not SYN-ACKs, per RFC 793. Option D is wrong because while a stateful firewall might allow the connection, the SYN-ACK response itself is direct evidence that the port is open on the target host, not just a firewall behavior.

121
MCQmedium

During a penetration test, you run the following command: hping3 -S -p 80 --flood 192.168.1.100. What is the PRIMARY purpose of this command?

A.Banner grab the HTTP service on port 80
B.Fingerprint the operating system of the target
C.Perform a TCP connect scan to identify open ports
D.Execute a denial-of-service (DoS) attack against the target's web server
AnswerD

--flood sends packets rapidly, and -S sets SYN flag, causing a SYN flood DoS attack.

Why this answer

The command `hping3 -S -p 80 --flood 192.168.1.100` sends a high volume of TCP SYN packets to port 80 of the target without completing the three-way handshake. The `--flood` flag disables packet rate limiting, causing a rapid stream of SYN packets that exhausts the target's connection queue, effectively performing a SYN flood denial-of-service (DoS) attack against the web server.

Exam trap

The trap here is that candidates confuse a SYN flood DoS attack with a SYN scan (port scanning), but the `--flood` flag explicitly indicates a denial-of-service intent, not reconnaissance.

How to eliminate wrong answers

Option A is wrong because banner grabbing requires receiving and analyzing a service response, but `--flood` sends packets as fast as possible without waiting for replies, making banner capture impossible. Option B is wrong because OS fingerprinting relies on analyzing subtle differences in TCP/IP stack responses (e.g., TTL, window size), but the `--flood` mode overwhelms the target and does not collect or analyze response packets for fingerprinting. Option C is wrong because a TCP connect scan completes the three-way handshake (SYN, SYN-ACK, ACK), whereas this command only sends SYN packets and never completes the handshake, so it cannot identify open ports reliably.

122
MCQeasy

Which of the following is the PRIMARY purpose of banner grabbing during the reconnaissance phase?

A.To determine the version of a running service
B.To discover open ports
C.To identify the operating system
D.To map the network topology
AnswerA

Banners often include version strings, allowing identification of specific service versions.

Why this answer

Banner grabbing is a technique used to extract service banners that often include software name and version details. The primary purpose is to determine the version of a running service, as this information allows an attacker to identify known vulnerabilities specific to that version for further exploitation.

Exam trap

The trap here is that candidates confuse banner grabbing with OS fingerprinting or port scanning, but the CEH exam specifically tests that banner grabbing's primary goal is service version identification, not OS detection or port discovery.

How to eliminate wrong answers

Option B is wrong because discovering open ports is accomplished through port scanning (e.g., SYN scan, TCP connect scan), not banner grabbing, which occurs after a port is already known to be open. Option C is wrong because while banner information can sometimes hint at the OS, the primary and direct purpose of banner grabbing is to identify the service version, not the OS; OS detection is typically done via TCP/IP stack fingerprinting (e.g., nmap -O). Option D is wrong because mapping network topology involves techniques like traceroute, SNMP sweeps, or analyzing routing tables, not banner grabbing, which only interacts with a single service on a single host.

123
MCQmedium

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform an aggressive scan of all open ports and enumerate SMB shares
B.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
C.Perform a UDP scan on the four specified ports and identify running services
D.Perform a full TCP connect scan with UDP service detection on all ports
AnswerB

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option B is correct because the command `nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24` performs a TCP SYN scan (`-sS`) on only the four specified ports, enables service version detection (`-sV`), and attempts OS fingerprinting (`-O`). This is a stealthy half-open scan that does not complete the TCP three-way handshake, combined with banner grabbing and OS detection, limited to the given port list.

Exam trap

The trap here is that candidates confuse `-sS` (SYN scan) with a full connect scan or UDP scan, or assume that specifying `-p` implies scanning all ports, when in fact it limits the scan to only the listed ports.

How to eliminate wrong answers

Option A is wrong because the command does not include `-A` (aggressive scan) nor any SMB enumeration flags like `--script smb-enum-shares`; it only scans four specific ports, not all open ports. Option C is wrong because `-sS` specifies a TCP SYN scan, not a UDP scan; a UDP scan would require `-sU`. Option D is wrong because `-sS` is a half-open SYN scan, not a full TCP connect scan (which uses `-sT`), and the command does not include UDP service detection or scan all ports.

124
Multi-Selectmedium

A security analyst is planning a reconnaissance activity that must remain undetected. Which TWO of the following techniques should they choose?

Select 2 answers
A.Engage in social engineering to extract network diagrams from employees
B.Gather information from public OSINT sources like Shodan and social media
C.Conduct a passive reconnaissance by analyzing DNS records without querying the target's DNS servers directly
D.Use Nmap with default scripts to enumerate services
E.Perform a full TCP connect scan on all ports
AnswersB, C

OSINT uses publicly available data without contacting the target, making it undetectable.

Why this answer

Option B is correct because OSINT sources like Shodan and social media provide publicly available information without interacting with the target's systems, keeping the reconnaissance passive and undetected. Option C is correct because passive reconnaissance via DNS records (e.g., using cached or third-party DNS databases) avoids querying the target's authoritative DNS servers, thus not generating logs or alerts on the target's infrastructure.

Exam trap

The trap here is that candidates often confuse 'passive reconnaissance' with 'stealth scanning,' assuming that techniques like SYN scan or Nmap's default scripts are undetected, when in fact any direct packet transmission to the target is active and detectable.

125
MCQmedium

A security engineer is concerned about DNS zone transfer attacks. Which of the following countermeasures would be MOST effective in preventing unauthorized zone transfers?

A.Restrict zone transfers to authorized IP addresses only
B.Use DNSSEC to sign the zone
C.Change the default port of 53 to a non-standard port
D.Disable DNS recursion on the server
AnswerA

This limits zone transfer requests to trusted secondary servers, preventing unauthorized parties from obtaining the zone data.

Why this answer

Restricting zone transfers to authorized IP addresses only is the most effective countermeasure because it directly controls which DNS servers are allowed to request a full copy of the zone data. By configuring an allow-transfer list (e.g., using the 'allow-transfer { trusted_servers; };' directive in BIND), the primary DNS server will reject zone transfer requests from any unauthorized IP, preventing attackers from enumerating all DNS records.

Exam trap

The trap here is that candidates often confuse DNSSEC (which protects data integrity) with access control mechanisms, or they mistakenly think disabling recursion or changing ports will prevent zone transfers, when in fact zone transfers are controlled by explicit authorization settings on the authoritative server.

How to eliminate wrong answers

Option B is wrong because DNSSEC (DNS Security Extensions) provides data integrity and authentication through digital signatures, but it does not control or restrict the ability to perform a zone transfer; it only ensures that the zone data has not been tampered with. Option C is wrong because changing the default port of 53 to a non-standard port is not a viable countermeasure; DNS clients and servers expect port 53, and changing it would break normal DNS resolution, while an attacker can easily scan for the new port. Option D is wrong because disabling DNS recursion prevents the server from resolving queries for external domains on behalf of clients, but it does not affect the server's ability to perform or allow zone transfers, which are a separate function of authoritative DNS servers.

126
MCQeasy

A security analyst wants to gather information about a target domain using public records without directly interacting with the target's systems. Which technique is the analyst employing?

A.Vulnerability scanning
B.OSINT using WHOIS queries
C.Active reconnaissance
D.Social engineering
AnswerB

WHOIS is a passive OSINT technique that retrieves domain registration details without contacting the target servers.

Why this answer

OSINT (Open Source Intelligence) using WHOIS queries is a passive reconnaissance technique that gathers domain registration details from public WHOIS databases without interacting with the target's systems. This aligns with the requirement to use public records and avoid direct contact, making it the correct choice for footprinting.

Exam trap

EC-Council often tests the distinction between active and passive reconnaissance, and the trap here is that candidates confuse WHOIS queries with active techniques because they involve sending a query, but since the query goes to a public third-party database (not the target's systems), it remains passive.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning actively sends probes and packets to the target's systems to identify weaknesses, which directly interacts with the target and is not passive. Option C is wrong because active reconnaissance involves direct interaction with the target's systems (e.g., port scanning, ping sweeps), which violates the 'without directly interacting' condition. Option D is wrong because social engineering involves manipulating human targets through direct or indirect communication (e.g., phishing calls), which is an active technique and not based on public records.

127
MCQhard

A penetration tester uses the following Nmap command: nmap -sS -O -p 1-1000 10.0.0.1. The output shows port 22 as open, and OS detection suggests 'Linux 2.6.x'. The tester then runs: nmap -sV -p 22 10.0.0.1. What additional information does the second scan provide?

A.It confirms the OS is Linux 2.6.x
B.It checks if the port is filtered by a firewall
C.It identifies the version of the SSH service running
D.It performs a UDP scan on port 22
AnswerC

-sV performs version detection on the specified port.

Why this answer

The second scan uses the `-sV` flag, which enables version detection. Nmap probes the open port 22 (SSH) to determine the exact service version (e.g., OpenSSH 5.3p1). This is distinct from OS detection (`-O`), which guesses the operating system based on TCP/IP stack fingerprinting.

The `-sV` scan provides granular service version information, not OS confirmation or firewall status.

Exam trap

The trap here is confusing OS detection (`-O`) with service version detection (`-sV`), leading candidates to think `-sV` confirms the OS when it actually identifies the application version running on the port.

How to eliminate wrong answers

Option A is wrong because `-sV` does not confirm the OS; OS detection is performed by the `-O` flag in the first scan, and version detection only identifies the application version, not the underlying OS. Option B is wrong because checking if a port is filtered by a firewall requires a different scan type, such as a SYN scan (`-sS`) with firewall evasion techniques or a scan that analyzes RST responses; `-sV` assumes the port is open and attempts a full connection to grab the service banner. Option D is wrong because `-sV` performs TCP version detection on the specified port (22), not a UDP scan; a UDP scan requires the `-sU` flag.

128
MCQhard

A security analyst observes the following Nmap output for a target host: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https. The analyst then runs a version detection scan and notices that port 80 reports 'Apache httpd 2.4.41' but port 443 reports 'Apache httpd 2.4.41' as well. What is the MOST likely conclusion?

A.The target is running two separate web servers on different ports
B.The target is likely running a single web server that handles both HTTP and HTTPS traffic
C.The target is running a reverse proxy that forwards traffic to different backends
D.The version detection is incorrect due to false positives
AnswerB

Many web servers listen on both ports 80 and 443 for HTTP and HTTPS respectively.

Why this answer

Option B is correct because when both port 80 (HTTP) and port 443 (HTTPS) report the same Apache httpd version (2.4.41), it strongly indicates that the same web server process is listening on both ports. Apache httpd can be configured to handle both plain HTTP and TLS-encrypted HTTPS traffic simultaneously, typically using separate VirtualHost directives or a single configuration that binds to both ports. The identical version string makes it unlikely that two separate web server instances are running, as they would often differ in patch level or configuration.

Exam trap

The trap here is that candidates assume different ports must mean different servers or a reverse proxy, but the CEH exam expects you to recognize that identical version strings from Nmap -sV indicate a single web server instance handling both protocols.

How to eliminate wrong answers

Option A is wrong because running two separate web servers on different ports would typically result in different version strings, build dates, or banner details; identical version output strongly suggests a single server instance. Option C is wrong because a reverse proxy (e.g., Nginx, HAProxy) would present its own banner on the listening ports, not the backend Apache version; the Nmap version detection directly queried the Apache service, not a proxy layer. Option D is wrong because Nmap version detection (-sV) uses probe-response matching against a signature database and is highly reliable for common services like Apache httpd; false positives are rare and would not produce identical version strings on two ports.

129
MCQmedium

A penetration tester executes the following command: nmap -sS -p 1-1000 --script banner 192.168.1.10. After the scan, the tester notices several filtered ports. Which of the following BEST explains why Nmap reports a port as "filtered"?

A.The port is open, and the service is responding with a banner
B.A firewall is blocking the probe packets, and Nmap cannot determine if the port is open
C.The port is open and actively listening
D.The port is closed and the target sent an RST packet
AnswerB

Filtered indicates that no response was received, typically because a firewall dropped the packet.

Why this answer

Option B is correct because Nmap's SYN scan (-sS) sends a SYN packet to the target port. When the probe receives no response or an ICMP unreachable message (e.g., type 3 code 13), Nmap classifies the port as 'filtered'. This typically indicates a firewall, ACL, or network filter is dropping the packets, preventing Nmap from determining whether the port is open or closed.

Exam trap

The trap here is that candidates often confuse 'filtered' with 'closed', but 'closed' requires an RST response, while 'filtered' indicates no response or an ICMP block, typically due to a firewall.

How to eliminate wrong answers

Option A is wrong because a port that responds with a banner would be classified as 'open', not 'filtered'. Option C is wrong because an open and actively listening port would respond with a SYN-ACK, leading Nmap to report it as 'open', not 'filtered'. Option D is wrong because a closed port sends an RST packet in response to the SYN probe, which Nmap interprets as 'closed', not 'filtered'.

130
MCQeasy

Which of the following tools is specifically designed to perform Google dorking and automate searching for vulnerable web applications and sensitive information?

A.Maltego
B.theHarvester
C.Googledork
D.Shodan
AnswerC

Googledork automates Google hacking queries to find vulnerabilities and sensitive data.

Why this answer

Googledork (also known as Google Dork) is a tool specifically designed to automate Google dorking queries, which use advanced search operators to find vulnerable web applications and sensitive information exposed in search results. It systematically executes predefined dork queries against Google's index to identify SQL injection points, exposed configuration files, login pages, and other security weaknesses, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse general OSINT tools like theHarvester or Maltego with Google-dorking-specific automation, failing to recognize that Googledork is the only option explicitly built for executing and automating Google dork queries.

How to eliminate wrong answers

Option A is wrong because Maltego is a graphical link analysis tool used for open-source intelligence (OSINT) and relationship mapping between entities (e.g., domains, email addresses, people), not for automating Google dorking queries. Option B is wrong because theHarvester is a tool for gathering email addresses, subdomains, and virtual hosts from public sources like search engines and PGP key servers, but it does not focus on executing Google dork queries to find vulnerable web applications. Option D is wrong because Shodan is a search engine for internet-connected devices (e.g., IoT, servers, webcams) and their banners, not a tool for performing Google dorking against Google's search index.

131
MCQmedium

During a penetration test, the tester needs to identify the operating system of a remote host without sending any packets to it. Which technique should the tester use?

A.Banner grabbing with Telnet
B.Passive OS fingerprinting using captured packets
C.Querying Shodan for the target IP
D.Active OS fingerprinting with Nmap -O
AnswerB

Passive fingerprinting analyzes packet headers from existing traffic, such as via p0f.

Why this answer

Passive OS fingerprinting (Option B) is correct because it analyzes captured network traffic—such as TCP/IP packet headers, TTL values, window sizes, and DF flags—to infer the remote host's operating system without sending any packets. This technique relies on subtle differences in how various OS stacks implement RFC 793, making it ideal for stealthy reconnaissance where no direct contact with the target is permitted.

Exam trap

The trap here is that candidates often confuse 'passive OS fingerprinting' with 'banner grabbing' or 'Shodan queries,' assuming any non-intrusive method qualifies, but the key constraint is 'without sending any packets,' which eliminates all options except passive analysis of already-captured traffic.

How to eliminate wrong answers

Option A is wrong because banner grabbing with Telnet requires establishing an active TCP connection to the target, which sends packets and violates the 'no packets sent' constraint. Option C is wrong because querying Shodan is a passive information-gathering method that uses a third-party database, but it does not directly identify the OS of a remote host from the tester's own captured traffic; Shodan may provide OS guesses based on its own active scans, but the question specifies the tester must not send packets, and Shodan's data is not derived from the tester's capture. Option D is wrong because active OS fingerprinting with Nmap -O sends crafted probes (e.g., SYN, FIN, NULL scans) to the target and analyzes responses, which directly contradicts the requirement of not sending any packets.

132
MCQhard

A security analyst observes unusual outbound traffic from an internal host to an external IP on port 443. The analyst suspects a reverse shell where the internal host initiates an HTTPS connection to the attacker. Which Nmap script would be MOST useful to confirm the nature of this traffic if the analyst can run a scan on the internal host?

A.tls-nextprotoneg
B.smb-enum-shares
C.http-malware-host
D.ssh2-enum-algos
AnswerC

This script checks if the target domain is listed as malicious, which could indicate a command-and-control server.

Why this answer

Option C (http-malware-host) is correct because it checks the internal host's DNS cache or HTTP traffic against known malware domains, which can reveal if the outbound HTTPS connection is to a command-and-control server. Since the traffic is on port 443 (HTTPS), this script can identify malicious destinations without decrypting the traffic, making it ideal for confirming a reverse shell scenario.

Exam trap

The trap here is that candidates may choose tls-nextprotoneg (Option A) thinking it analyzes HTTPS traffic, but it only checks protocol negotiation, not malicious destinations, while http-malware-host directly correlates outbound connections with known threat intelligence.

How to eliminate wrong answers

Option A is wrong because tls-nextprotoneg is used to enumerate TLS next-protocol-negotiation (NPN) support, which is irrelevant to identifying malware or reverse shell traffic. Option B is wrong because smb-enum-shares enumerates SMB shares on Windows systems, which does not apply to HTTPS outbound traffic analysis. Option D is wrong because ssh2-enum-algos enumerates SSH algorithm support, which is unrelated to HTTPS or reverse shell detection.

133
MCQhard

A security analyst runs the command: nmap -sS -p 80,443,8080 --script http-headers scanme.nmap.org. The output shows that port 80 is filtered. What does 'filtered' mean in this context?

A.The port is open, but the service is not responding
B.The port is open and actively listening
C.The port is closed, but the target is responding with RST packets
D.A firewall or IDS is preventing the probe from reaching the port
AnswerD

Filtered means the probe was dropped or blocked, likely by a filtering device.

Why this answer

In Nmap, a 'filtered' port status indicates that the port is being blocked by a firewall, IDS, or other network filtering device, preventing the probe from reaching the target service. The -sS (SYN stealth scan) sends a SYN packet; if no response is received or an ICMP unreachable (type 3, code 13) is returned, Nmap marks the port as filtered. This does not mean the port is open or closed—it means the scan could not determine the state due to filtering.

Exam trap

The trap here is that candidates confuse 'filtered' with 'closed' or 'open|filtered', forgetting that 'filtered' specifically indicates a firewall or IDS is interfering, not that the port is simply unresponsive or sending RSTs.

How to eliminate wrong answers

Option A is wrong because 'filtered' does not imply the port is open; an open port that is not responding would typically be marked as 'open|filtered' if no response is received, not simply 'filtered'. Option B is wrong because an open and actively listening port would be reported as 'open' by Nmap after receiving a SYN/ACK response, not 'filtered'. Option C is wrong because a closed port responds with RST packets, which Nmap reports as 'closed', not 'filtered'; 'filtered' specifically means the probe was dropped or blocked without a TCP-level response.

134
Multi-Selectmedium

Which TWO of the following Nmap flags can be used to bypass firewall restrictions? (Select 2)

Select 2 answers
A.-P0 (disable ping)
B.-f (fragment packets)
C.-T4 (aggressive timing)
D.-sS (SYN scan)
E.-D (decoy scan)
AnswersB, E

Fragmentation can bypass simple firewalls that don't reassemble packets.

Why this answer

Option B is correct because the -f flag fragments packets into smaller 8-byte chunks, which can evade simple firewall rules that inspect packet headers for known signatures or block oversized packets. Option E is correct because the -D flag performs a decoy scan by spoofing multiple source IP addresses, making it difficult for a firewall to identify the true scanning host and block it.

Exam trap

The trap here is that candidates often confuse stealth scanning (-sS) with firewall evasion, not realizing that SYN scans are still detectable by modern firewalls that track connection states, while fragmentation and decoys directly manipulate packet structure or source identity to bypass filters.

135
Multi-Selecthard

Which TWO of the following Nmap scan types are MOST effective for evading a stateful firewall that only allows established connections? (Select 2)

Select 2 answers
A.TCP SYN scan (-sS)
B.TCP connect scan (-sT)
C.Idle scan (-sI)
D.Ping sweep (-sn)
E.UDP scan (-sU)
AnswersA, C

Uses half-open connections; may bypass some stateful filters that only inspect full connections.

Why this answer

A TCP SYN scan (-sS) sends a SYN packet to initiate a connection without completing the three-way handshake. A stateful firewall that only allows established connections typically permits incoming SYN packets if they are part of an outbound-initiated session, but a standalone SYN packet from an external source is often blocked unless the firewall is configured to allow it. However, if the firewall is tracking connection state, a SYN scan can still be effective if the firewall is configured to allow new connections to specific ports, but in the context of evading a firewall that only allows established connections, the SYN scan is less likely to be blocked than a full connect scan because it does not complete the handshake and thus may not be logged as an established session.

Exam trap

The trap here is that candidates often assume a TCP SYN scan is always stealthy, but in modern stateful firewalls, even a SYN packet can be logged and blocked if the firewall is configured to deny all inbound new connections; the key is that the question specifies a firewall that 'only allows established connections,' which means it permits traffic matching an existing session, and the idle scan exploits this by using a zombie that already has an established session with the target.

136
Multi-Selecthard

Which THREE of the following are legitimate uses of the Shodan search engine in a security assessment? (Select 3)

Select 3 answers
A.Performing SQL injection on a web application
B.Discovering internet-connected industrial control systems (ICS) with default passwords
C.Mapping all SSL/TLS certificates for a domain to find subdomains
D.Sending phishing emails to employees of a target organization
E.Identifying open ports and services on all hosts in a given IP range
AnswersB, C, E

Shodan can find ICS devices by their banners, some of which may have default credentials.

Why this answer

Shodan is a search engine for internet-connected devices. It indexes banners from services like HTTP, SSH, and FTP, allowing security assessors to identify exposed industrial control systems (ICS) such as SCADA devices. Discovering ICS with default passwords is a legitimate reconnaissance use because it helps assess the security posture of critical infrastructure without active exploitation.

Exam trap

The trap here is that candidates confuse Shodan's passive banner-gathering capability with active exploitation or social engineering, leading them to select options that involve direct interaction with the target (SQL injection or phishing) instead of legitimate reconnaissance.

137
MCQmedium

A security analyst is asked to perform a fast scan of a large network (e.g., /16 subnet) to identify live hosts. Which tool is MOST suitable for this task due to its high speed?

A.hping3
B.Nmap
C.Masscan
D.Wireshark
AnswerC

Masscan is optimized for speed and can scan the entire internet in minutes.

Why this answer

Masscan is the most suitable tool for this task because it is designed specifically for high-speed scanning of large address spaces, such as a /16 subnet (65,536 hosts). It uses asynchronous transmission and can send packets at rates exceeding 10 million packets per second, making it significantly faster than Nmap for raw host discovery across massive ranges.

Exam trap

The trap here is that candidates often assume Nmap is always the fastest scanning tool due to its popularity, but Masscan is specifically engineered for speed on massive networks, and the CEH exam tests this distinction.

How to eliminate wrong answers

Option A is wrong because hping3 is a packet crafting and testing tool, not optimized for high-speed scanning of large networks; it operates synchronously and is better suited for targeted firewall testing or DoS simulation. Option B is wrong because while Nmap is powerful and versatile, its default scanning methods (e.g., TCP SYN scan) are slower than Masscan on very large subnets due to its sequential or semi-parallel processing overhead and lower default packet rate. Option D is wrong because Wireshark is a packet capture and analysis tool, not a scanning tool; it cannot actively send probes to discover live hosts.

138
MCQmedium

An attacker uses a technique where they send a SYN packet with a spoofed source IP address to the target, and the target responds with SYN/ACK to the spoofed IP. The attacker never completes the handshake. This technique is known as:

A.SYN flood
B.TCP connect scan
C.Idle scan
D.Half-open scan
AnswerC

Idle scan uses a zombie host and spoofed IP to infer open ports from IPID changes.

Why this answer

The idle scan (option C) is correct because it uses a spoofed SYN packet with a zombie host's IP address to probe open ports on the target. The target sends a SYN/ACK to the zombie, but the attacker never completes the handshake; instead, the attacker monitors the zombie's IPID (IP Identification) field to infer whether the target's port is open or closed. This technique is defined in RFC 793 and leverages the zombie's predictable IPID sequence to perform a blind, stealthy scan.

Exam trap

The trap here is that candidates confuse the idle scan with a half-open scan because both involve not completing the handshake, but the idle scan uniquely requires a spoofed source IP and a zombie host to measure IPID changes, whereas a half-open scan uses the attacker's own IP and sends a RST directly.

How to eliminate wrong answers

Option A (SYN flood) is wrong because it is a denial-of-service attack that sends a high volume of SYN packets to exhaust target resources, not a reconnaissance technique using a spoofed IP to infer port states. Option B (TCP connect scan) is wrong because it completes the full three-way handshake using the attacker's real IP address, not a spoofed source IP, and is detectable in logs. Option D (Half-open scan) is wrong because it sends a SYN packet with the attacker's own IP, receives a SYN/ACK, and then sends a RST to avoid completing the handshake; it does not use a spoofed IP or a third-party zombie to mask the attacker's identity.

139
MCQeasy

A security analyst wants to gather information about a target domain without directly interacting with its systems. Which technique would be MOST appropriate?

A.Send ICMP echo requests to the target network
B.Run a vulnerability scan with Nessus
C.Perform a port scan using Nmap SYN scan
D.Query WHOIS databases for domain registration information
AnswerD

WHOIS queries access public registration databases without contacting the target's servers directly.

Why this answer

Option D is correct because querying WHOIS databases is a passive reconnaissance technique that retrieves publicly available domain registration information (e.g., registrar, creation/expiration dates, name servers, and administrative contacts) without sending any packets to the target's systems. This aligns with the goal of gathering information without direct interaction, as defined in the CEH footprinting phase.

Exam trap

The trap here is that candidates often confuse active scanning (like Nmap or Nessus) with passive reconnaissance, failing to recognize that any packet sent to the target constitutes direct interaction, whereas WHOIS queries are entirely external to the target's infrastructure.

How to eliminate wrong answers

Option A is wrong because sending ICMP echo requests (ping sweeps) involves direct interaction with the target network, which violates the requirement of no direct interaction. Option B is wrong because running a vulnerability scan with Nessus actively probes target systems for weaknesses, generating traffic and direct interaction. Option C is wrong because performing a port scan using Nmap SYN scan sends crafted TCP SYN packets to target hosts, which is an active reconnaissance technique that directly interacts with the target's systems.

140
MCQeasy

Which of the following techniques is considered PASSIVE reconnaissance?

A.Ping sweeping a subnet
B.Banner grabbing with Telnet
C.Running a SYN scan with Nmap
D.Performing a WHOIS lookup
AnswerD

WHOIS queries public databases and does not interact with the target's systems.

Why this answer

WHOIS queries retrieve domain registration records from public databases like whois.iana.org or RDAP servers. Since the target server is never contacted directly — only public registries are queried — no packets are sent to the target's infrastructure, making it a purely passive reconnaissance technique.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by making candidates think that any network-based query (like WHOIS) is active, when in fact WHOIS queries public third-party databases, not the target's own systems.

How to eliminate wrong answers

Option A is wrong because ping sweeping sends ICMP Echo Request packets to multiple hosts and waits for replies, actively probing the target network. Option B is wrong because banner grabbing with Telnet establishes a TCP connection (port 23 or other) to the target service and reads the initial banner, which is an active interaction. Option C is wrong because running a SYN scan with Nmap sends crafted TCP SYN packets to target ports and analyzes responses, which is an active scanning technique that can be detected by intrusion detection systems.

141
Multi-Selecteasy

Which TWO of the following are valid port states that Nmap can report? (Select 2)

Select 2 answers
A.Unknown
B.Secured
C.Open
D.Filtered
E.Blocked
AnswersC, D

An open port has a service listening and accepting connections.

Why this answer

Nmap reports 'Open' when a port responds to a probe (e.g., SYN, ACK, or connect scan) with a positive acknowledgment, indicating a service is actively listening. This is one of the six fundamental port states defined in Nmap's output, directly derived from the TCP/IP protocol behavior during the scan.

Exam trap

The trap here is that candidates confuse 'filtered' with generic terms like 'blocked' or 'secured', or assume Nmap uses a catch-all 'unknown' state, when in fact Nmap has a precise, limited set of six states that must be memorized for the CEH exam.

142
MCQhard

A security team detects unusual outbound traffic from a host that appears to be a reverse shell. Which of the following Nmap features would be MOST effective for identifying the service running on the listening port of the command-and-control server?

A.UDP scan using the -sU flag
B.Nmap Scripting Engine (NSE) with the http-enum script
C.OS fingerprinting using the -O flag
D.Service version detection using the -sV flag
AnswerD

-sV probes open ports and compares responses to identify service names and versions, which is ideal for identifying a reverse shell service.

Why this answer

Option D is correct because the -sV flag instructs Nmap to perform service version detection by probing open ports and analyzing the responses to determine the exact application and version running on the listening port. In a reverse shell scenario, identifying the service (e.g., a specific SSH, HTTP, or custom listener) on the C2 server is critical for understanding the attack vector and planning remediation.

Exam trap

The trap here is that candidates confuse OS fingerprinting (-O) with service version detection (-sV), thinking that identifying the OS will reveal the service, but the CEH exam emphasizes that -sV is the dedicated flag for service and version identification on listening ports.

How to eliminate wrong answers

Option A is wrong because a UDP scan (-sU) is used to discover UDP services, but reverse shells typically use TCP for reliable communication, and UDP scanning would not effectively identify a TCP-based listening service. Option B is wrong because the http-enum script is designed to enumerate directories and files on HTTP/HTTPS services, but the C2 server may not be running a web service, and this script does not perform general service identification. Option C is wrong because OS fingerprinting (-O) determines the operating system of the target host, not the specific service or application version running on a listening port, which is irrelevant for identifying the C2 service.

143
MCQhard

An attacker sends a TCP SYN packet to a port and receives a TCP RST packet in response. According to Nmap's port state classification, what is the state of this port?

A.Filtered
B.Unfiltered
C.Closed
D.Open
AnswerC

A closed port responds with RST.

Why this answer

When Nmap sends a TCP SYN packet to a port and receives a TCP RST packet in response, it indicates that the port is reachable but no service is listening on it. Per RFC 793, a RST is sent when a SYN arrives on a closed port, so Nmap classifies this port as 'closed'.

Exam trap

EC-Council often tests the misconception that a RST response means the port is 'filtered' or 'open', but the correct interpretation per Nmap's classification is that a RST directly indicates a 'closed' port.

How to eliminate wrong answers

Option A is wrong because 'filtered' means the probe was dropped or blocked by a firewall or packet filter (no response or ICMP unreachable), not a TCP RST. Option B is wrong because 'unfiltered' is a special state used only in ACK scans (e.g., -sA) where the port is reachable but its open/closed status cannot be determined; it does not apply to a SYN scan receiving a RST. Option D is wrong because an 'open' port would respond with a SYN-ACK, not a RST.

144
MCQmedium

Which Google dork would a penetration tester use to find login pages that are indexed by Google?

A.filetype:xls username password
B.intitle:"index of"
C.inurl:login
D.site:example.com intext:password
AnswerC

This searches for pages with 'login' in the URL, typically login forms.

Why this answer

Option C is correct because the Google dork 'inurl:login' specifically searches for URLs containing the word 'login', which commonly appear in login page paths (e.g., /login.php, /login.aspx). This allows a penetration tester to quickly identify indexed login portals for further reconnaissance, such as testing for default credentials or brute-force attacks.

Exam trap

The trap here is that candidates often confuse 'inurl:login' with 'intitle:login' or 'intext:login', but 'inurl:' is the precise operator for finding login pages by their URL structure, while 'intitle:' and 'intext:' target page titles and body content, respectively, which are less reliable for this specific purpose.

How to eliminate wrong answers

Option A is wrong because 'filetype:xls username password' targets Excel files that may contain credentials, not login pages. Option B is wrong because 'intitle:"index of"' reveals directory listings (e.g., open Apache indexes), not login pages. Option D is wrong because 'site:example.com intext:password' searches for pages containing the word 'password' in their body text, which could be any page (e.g., password reset forms or help pages), not specifically login pages.

145
MCQhard

An attacker uses `nmap -sI 10.0.0.5 192.168.1.10` to scan a target. This technique is known as an idle scan. Which condition is REQUIRED for this scan to work correctly?

A.The zombie host must be running a Windows operating system
B.The attacker must have root access on the target machine
C.The zombie host must have an incremental IP ID sequence that is not reset by other traffic
D.The target must be running a Linux server with SSH enabled
AnswerC

The idle scan relies on observing changes in the zombie's IP ID to infer port status. If the zombie receives other traffic, the IP ID may increment, causing false results.

Why this answer

The idle scan (nmap -sI) relies on the zombie host's IP ID sequence being predictable and incremental. The attacker probes the zombie's IP ID, sends a spoofed SYN packet to the target (appearing from the zombie), and then re-checks the zombie's IP ID. If the IP ID has increased by exactly 2 (or more if other traffic occurred), the target responded to the zombie, confirming the port is open.

The zombie must not reset or randomize its IP ID, and other traffic to the zombie must be minimal or accounted for, making an incremental IP ID sequence the essential condition.

Exam trap

EC-Council often tests the misconception that the zombie must be idle or that the target must have a specific service, but the core requirement is the zombie's IP ID sequence being incremental and not reset by other traffic.

How to eliminate wrong answers

Option A is wrong because the idle scan does not require any specific operating system on the zombie; it works with any host that uses an incremental IP ID sequence (e.g., many legacy Windows, Linux, or BSD systems). Option B is wrong because the attacker does not need root access on the target machine; the scan is performed externally, and root access is only needed on the attacker's machine to send raw packets (e.g., via libpcap). Option D is wrong because the target's operating system or SSH service is irrelevant; the idle scan works against any TCP port on any target, regardless of OS or running services.

146
MCQhard

During a vulnerability scan with Nessus, you find that port 445/TCP is open on a Windows server. Which of the following is the MOST likely associated risk?

A.SNMP community string brute-forcing
B.Remote code execution via SMB vulnerabilities
C.HTTP directory traversal
D.DNS cache poisoning
AnswerB

SMB on port 445 has known RCE vulnerabilities.

Why this answer

Port 445/TCP is used by Microsoft SMB (Server Message Block) over a direct TCP connection, commonly known as SMB over TCP. SMB has historically been plagued by critical remote code execution vulnerabilities, most notably EternalBlue (MS17-010) exploited by WannaCry. Therefore, an open SMB port on a Windows server presents a high risk of remote code execution if unpatched.

Exam trap

The trap here is that candidates may associate port 445 with file sharing only and overlook its history of critical remote code execution vulnerabilities, instead choosing a more generic or unrelated attack vector like HTTP directory traversal.

How to eliminate wrong answers

Option A is wrong because SNMP community string brute-forcing targets UDP ports 161/162, not TCP port 445. Option C is wrong because HTTP directory traversal exploits web servers on ports 80/443/TCP, not the SMB port. Option D is wrong because DNS cache poisoning attacks target DNS servers on UDP/TCP port 53, not port 445.

147
MCQmedium

A penetration tester wants to identify live hosts on a large IP range without generating excessive network traffic. Which tool is BEST suited for fast host discovery?

A.Masscan
B.Maltego
C.dnsenum
D.Nessus
AnswerA

Masscan is designed for high-speed scanning of large address spaces.

Why this answer

Masscan is the best tool for fast host discovery across large IP ranges because it uses asynchronous transmission and can scan the entire IPv4 address space in under 10 minutes at a rate of 10 million packets per second. It minimizes network traffic by sending only SYN packets and not completing the TCP handshake, making it ideal for rapid live host detection without overwhelming the network.

Exam trap

The trap here is that candidates confuse 'host discovery' with 'vulnerability scanning' or 'OSINT gathering', leading them to choose Nessus or Maltego, but the question specifically asks for minimal traffic and speed, which only Masscan's asynchronous SYN scan achieves.

How to eliminate wrong answers

Option B is wrong because Maltego is a graphical link analysis tool for gathering and correlating open-source intelligence (OSINT), not a network scanner for live host discovery; it relies on existing data sources rather than sending packets. Option C is wrong because dnsenum is a DNS enumeration tool that queries DNS servers for subdomains and records, not a host discovery scanner; it does not send raw packets to probe IP addresses. Option D is wrong because Nessus is a comprehensive vulnerability scanner that performs deep, multi-packet scans with full handshakes and plugin checks, generating heavy traffic and taking much longer than needed for simple host discovery.

148
MCQmedium

A security analyst runs `nmap -sS -sV -A 192.168.1.100` and obtains open ports and service versions. However, the analyst suspects the target is behind an IDS/IPS. Which Nmap technique would BEST evade detection while still performing a similar scan?

A.Add -f to fragment IP packets
B.Use -sT instead of -sS to perform a full TCP connect scan
C.Increase timing to -T5 for a faster scan
D.Replace -sV with -sU to scan UDP services
AnswerA

Fragmentation can evade simple packet inspection by IDS/IPS.

Why this answer

Option A is correct because using the `-f` flag fragments the IP packets, splitting the TCP header across multiple packets. This helps evade simple IDS/IPS signatures that rely on detecting a complete SYN scan in a single packet, as the fragmented packets may bypass pattern-matching rules or reassembly buffers.

Exam trap

EC-Council often tests the misconception that faster scans (`-T5`) are stealthier, when in reality they increase noise and detection risk, while fragmentation (`-f`) is a recognized evasion technique for bypassing packet inspection.

How to eliminate wrong answers

Option B is wrong because `-sT` performs a full TCP connect scan, which completes the three-way handshake and is more likely to be logged by the target system and detected by IDS/IPS due to the completed connections. Option C is wrong because increasing timing to `-T5` sends packets faster, which can actually increase the likelihood of detection by IDS/IPS due to abnormal traffic patterns or rate-based alerts. Option D is wrong because replacing `-sV` with `-sU` changes the scan type to UDP, which does not perform the same service version detection and is not a technique for evading detection; it simply scans different protocols.

149
MCQmedium

During a reconnaissance phase, a penetration tester uses Shodan to search for devices with a specific open port. Which of the following BEST describes what Shodan provides beyond a simple port scan?

A.Real-time network traffic analysis
B.Passive DNS records and domain registration details
C.Banner information and service metadata from internet-connected devices
D.Historical vulnerability data for each device
AnswerC

Shodan's main feature is gathering banner information and metadata from scanned services.

Why this answer

Shodan is a search engine for internet-connected devices that actively probes IP addresses and collects banner information—the metadata that services (e.g., HTTP, SSH, FTP) return upon connection. This includes server headers, version strings, default credentials, and other service fingerprints, which goes far beyond a simple port scan that only reports whether a port is open or closed.

Exam trap

The trap here is that candidates confuse Shodan's banner-grabbing capability with a vulnerability scanner, assuming it provides historical CVE data, when in fact Shodan only shows the current service fingerprint and does not automatically map it to vulnerabilities.

How to eliminate wrong answers

Option A is wrong because Shodan does not perform real-time network traffic analysis; it uses periodic, active probing to collect static snapshots of service banners, not live packet captures or flow data. Option B is wrong because passive DNS records and domain registration details are the domain of tools like whois, SecurityTrails, or DNSdumpster, not Shodan—Shodan focuses on IP-level service metadata, not domain-level ownership or DNS history. Option D is wrong because Shodan does not provide historical vulnerability data for each device; while it may show the version of a service, it does not correlate that version with CVE databases or track patch history—that would require a separate vulnerability scanner or a platform like Shodan's own 'Vulnerabilities' feature (which is an add-on, not a core capability).

150
Multi-Selectmedium

Which THREE of the following are common techniques used during the footprinting phase? (Choose three.)

Select 3 answers
A.Exploitation
B.Port scanning
C.WHOIS lookup
D.Google hacking
E.DNS zone transfer
AnswersC, D, E

WHOIS provides domain registration details.

Why this answer

WHOIS lookup is a footprinting technique that queries domain registration databases (e.g., whois.arin.net) to obtain registrant contact details, name servers, and registration dates. This information is publicly available and helps attackers map an organization's digital footprint without direct interaction with the target.

Exam trap

EC-Council often tests the distinction between footprinting (passive, non-intrusive) and scanning (active, intrusive), so candidates mistakenly classify port scanning or exploitation as footprinting techniques.

← PreviousPage 2 of 3 · 155 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ceh Recon Scanning questions.