CEH · topic practice

Scenario practice questions

Practise Certified Ethical Hacker CEH Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full Scenario explanation →

A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?

Question 2mediummulti select
Read the full Scenario explanation →

Which THREE of the following are essential phases in the ethical hacking methodology as defined by EC-Council?

Question 3hardmulti select
Read the full Scenario explanation →

An organization is investigating a potential malware infection. The security analyst observes unusual outbound connections to a known malicious IP address and finds a suspicious process running under a user's session. The analyst decides to perform memory analysis using Volatility. Which TWO commands would be most useful to identify the malicious process and its network connections?

Question 4mediummultiple choice
Read the full Scenario explanation →

A penetration tester calls an employee claiming to be from the IT help desk and asks for their password to perform a 'security update'. The employee provides the password. Which social engineering technique is being used?

Question 5mediummultiple choice
Read the full Scenario explanation →

A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?

Question 6hardmultiple choice
Read the full Scenario explanation →

During a social engineering engagement, a tester calls the help desk posing as an employee from the IT department. The tester claims to be working on a critical system update and needs the employee's password to proceed. Which type of social engineering attack is being executed?

Question 7mediummultiple choice
Read the full Scenario explanation →

During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?

Question 8mediummultiple choice
Read the full Scenario explanation →

A security analyst receives an alert that an external IP address is sending fragmented packets to the company's web server on port 80. The analyst suspects the attacker is using Nmap with fragmentation. Which Nmap flag is being used to fragment the probe packets?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst receives an alert from the IDS indicating a port scan originating from IP 10.0.0.5. Upon investigation, the analyst finds that 10.0.0.5 is a legitimate internal server. Which type of scan is the attacker likely using to evade detection?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst observes unusual outbound traffic from an internal host to an external IP on port 443. The analyst suspects a reverse shell where the internal host initiates an HTTPS connection to the attacker. Which Nmap script would be MOST useful to confirm the nature of this traffic if the analyst can run a scan on the internal host?

Question 11hardmultiple choice
Read the full Scenario explanation →

A security team detects unusual outbound traffic from a host that appears to be a reverse shell. Which of the following Nmap features would be MOST effective for identifying the service running on the listening port of the command-and-control server?

Question 12easymultiple choice
Read the full Scenario explanation →

A user receives a phone call from someone claiming to be from IT support, asking for their password to troubleshoot an issue. Which social engineering technique is being used?

Question 13mediummultiple choice
Read the full Scenario explanation →

An attacker calls a company's help desk, pretending to be a new employee who forgot his username and password. The attacker provides some employee details gleaned from social media and convinces the help desk to reset the password. Which social engineering technique is being used?

Question 14mediummultiple choice
Read the full Scenario explanation →

An employee receives an email that appears to be from the CEO, requesting an urgent wire transfer. The email address is slightly misspelled (e.g., ceo@cornpany.com instead of ceo@company.com). This is an example of which type of attack?

Question 15easymultiple choice
Read the full Scenario explanation →

A security analyst notices repeated failed login attempts from a single external IP address targeting the company's webmail portal. The attempts use common usernames like 'admin', 'user', and 'test'. Which type of social engineering attack is MOST likely being attempted?

Question 16mediummultiple choice
Read the full Scenario explanation →

During a social engineering engagement, an attacker calls an employee pretending to be from IT support and asks for their password to perform a system update. Which social engineering technique is being employed?

Question 17mediummultiple choice
Read the full Scenario explanation →

A security analyst receives an alert indicating that a host on the internal network is sending a high volume of ICMP echo requests to multiple external IP addresses. The analyst notices that the source IP address is spoofed. Which type of attack is MOST likely occurring?

Question 18easymultiple choice
Read the full Scenario explanation →

A security analyst observes repeated failed login attempts from a single IP address targeting multiple user accounts. Which type of social engineering attack is being attempted?

Question 19hardmultiple choice
Read the full Scenario explanation →

An attacker uses the Social Engineering Toolkit (SET) to craft a phishing email that appears to come from the company's CEO, requesting the recipient to urgently wire funds to a new vendor. This attack is BEST described as which type of social engineering?

Question 20mediummultiple choice
Read the full Scenario explanation →

A user receives a phone call from someone claiming to be from IT support, asking for their password to perform a system update. This is an example of which social engineering technique?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.