CEH · topic practice

Scanning Networks and Enumeration practice questions

Practise Certified Ethical Hacker CEH Scanning Networks and Enumeration practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
19 questionsDomain: Scanning Networks and Enumeration

What the exam tests

What to know about Scanning Networks and Enumeration

Scanning Networks and Enumeration questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scanning Networks and Enumeration exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scanning Networks and Enumeration questions

19 questions · select your answer, then reveal the explanation

During a penetration test, you discover that an internal web server responds to ICMP echo requests but does not respond to TCP SYN scans on port 80. However, when you browse to the server's IP using a browser, the web page loads successfully. What is the most likely reason for this behavior?

A security analyst is using Nmap to scan a network segment 192.168.1.0/24 and wants to identify live hosts without sending packets to every IP. Which scan type should the analyst use to minimize network traffic while discovering active hosts?

During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?

A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?

Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)

Which THREE Nmap options are commonly used to evade firewall detection during a scan? (Choose three.)

Refer to the exhibit. An Nmap scan shows that port 80 is 'filtered' while ports 22 and 443 are 'open'. What does the 'filtered' state indicate?

Exhibit

Refer to the exhibit.
```
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-25 14:22 EDT
Nmap scan report for 10.10.1.45
Host is up (0.045s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   filtered http
443/tcp  open     https
```
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

You are a penetration tester assessing a client's internal network. The client has provided you with a non-administrative domain user account. The target network consists of 200 Windows workstations and 5 Windows servers (one domain controller, one file server, two application servers, and one database server). All systems are fully patched and have host-based firewalls enabled. The client wants you to identify vulnerabilities that could be exploited from the internal network. After initial reconnaissance, you discover that all servers have SMB (port 445) open only to the domain controller and the file server has SMB open to all workstations. You have gained a foothold on a workstation via a phishing attack. From this workstation, you can reach the file server on port 445. What is the most effective next step to enumerate potential vulnerabilities on the file server?

A penetration tester discovers that an Nmap SYN scan against a target host returns no open ports, but a TCP connect scan reveals port 443 open. Which of the following is the most likely reason for this discrepancy?

Which THREE of the following are valid methods for enumerating users on a Windows domain without prior credentials? (Select exactly 3.)

Refer to the exhibit. A penetration tester runs the above Nmap scan. Which of the following statements is most accurate regarding the state of port 3389?

Exhibit

Refer to the exhibit.

```
$ sudo nmap -sS -sV -O -p 1-1000 192.168.1.10
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 192.168.1.10
Host is up (0.0012s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http            Apache httpd 2.4.52
443/tcp  open     ssl/http        Apache httpd 2.4.52
3389/tcp filtered ms-wbt-server
8080/tcp open     http-proxy      Apache httpd 2.4.52
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 1 hop
```
Question 13hardmultiple choice
Review the full subnetting walkthrough →

You are conducting a security assessment for a company that hosts a web application on AWS. The application consists of a public-facing load balancer, an EC2 instance running a Linux web server, and an RDS MySQL database in a private subnet. The web server is configured to allow SSH access only from the company's internal IP range (203.0.113.0/24). During initial reconnaissance, you discover that the load balancer's security group allows inbound HTTP/HTTPS from anywhere. You attempt an Nmap SYN scan against the EC2 instance's public IP but receive no response (host appears down). Using a TCP connect scan, you find that ports 80 and 443 are open on the EC2 instance's public IP, but port 22 is filtered. You then launch an EC2 instance in the same region and run a scan from that internal AWS IP, and you find that port 22 is open on the target EC2 instance's private IP. Which of the following is the most likely reason for the initial scan failure and the filtered SSH port?

Which TWO of the following Nmap scan types are typically used to evade firewalls and IDS systems by sending fragmented packets?

You are a penetration tester for a financial institution. During the reconnaissance phase, you discover that the target network uses a firewall that only allows inbound TCP connections on ports 80, 443, and 8080. You need to identify live hosts and running services on the internal network (192.168.1.0/24) from an external perspective. To avoid detection, you must minimize the number of packets sent and ensure that your scanning technique does not complete the TCP three-way handshake. Additionally, you have limited time and need to scan all 65535 ports on the most promising target. Based on the firewall rules and the need for stealth, which of the following approaches should you take?

Drag and drop the steps to conduct a penetration test using the CEH methodology into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to perform a buffer overflow exploit in a controlled lab environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and enumeration

Packet capture and analysis

Exploitation framework

Password cracking

Web application security testing

Match each cloud security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure as a Service - virtualized computing resources

Platform as a Service - development and deployment platform

Software as a Service - ready-to-use applications

Security duties split between provider and customer

Cloud Access Security Broker - policy enforcement between users and cloud

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scanning Networks and Enumeration sessions

Start a Scanning Networks and Enumeration only practice session

Every question in these sessions is drawn from the Scanning Networks and Enumeration domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Scanning Networks and Enumeration?
Scanning Networks and Enumeration questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scanning Networks and Enumeration questions in a focused session?
Yes — the session launcher on this page draws every question from the Scanning Networks and Enumeration domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.