CEH · topic practice

Vulnerability Analysis and System Hacking practice questions

Practise Certified Ethical Hacker CEH Vulnerability Analysis and System Hacking practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
19 questionsDomain: Vulnerability Analysis and System Hacking

What the exam tests

What to know about Vulnerability Analysis and System Hacking

Vulnerability Analysis and System Hacking questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Vulnerability Analysis and System Hacking exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Vulnerability Analysis and System Hacking questions

19 questions · select your answer, then reveal the explanation

A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?

An ethical hacker is assessing a Linux web server running Apache. The server is suspected to have a remote file inclusion (RFI) vulnerability. Which testing approach is most appropriate to confirm the vulnerability without causing damage?

During a penetration test, a tester gains access to a Linux system and needs to escalate privileges. The tester finds that the user has sudo privileges to run /usr/bin/less as root without a password. Which technique should the tester use to escalate privileges?

A security analyst runs a vulnerability scan and finds that a server is vulnerable to CVE-2021-44228 (Log4j). Which of the following is the best immediate remediation step?

An ethical hacker is testing a web application that uses cookies for session management. The tester notices that the session cookie does not have the HttpOnly or Secure flags set. Which attack is most likely to succeed due to this misconfiguration?

Which TWO of the following are valid techniques for password cracking?

Which THREE of the following are common indicators of a buffer overflow vulnerability?

Based on the Nmap scan output, which service is most likely vulnerable to remote code execution?

Exhibit

Refer to the exhibit.

```
$ nmap -sV -p 22,80,443,8080 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-15 10:00 UTC
Nmap scan report for 192.168.1.10
Host is up (0.0010s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
443/tcp  open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
8080/tcp open  http    Apache Tomcat 8.5.5
MAC Address: 00:1A:2B:3C:4D:5E (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds
```
Question 9mediummultiple choice
Open the full VLAN trunking answer →

You are a penetration tester hired by a medium-sized financial company. The company has a network consisting of 50 Windows workstations (Windows 10 Pro) and 5 Windows Server 2019 servers (domain controller, file server, web server, database server, and mail server). The network is segmented into three VLANs: User VLAN (192.168.1.0/24), Server VLAN (192.168.2.0/24), and DMZ (192.168.3.0/24). The web server is in the DMZ and hosts a public-facing e-commerce application built on ASP.NET with a SQL Server backend. The database server is in the Server VLAN and is not directly accessible from the internet. You are given a standard user account on a workstation in the User VLAN. After initial reconnaissance, you discover that the web server is running an outdated version of IIS (7.5) and is vulnerable to a known privilege escalation vulnerability (CVE-2020-0613) that allows local privilege escalation if an attacker has already gained initial access. You also find that the web application has a SQL injection vulnerability in the login page. You successfully exploit the SQL injection to extract the password hash of the web application's service account, which is 'web_svc'. You crack the hash offline and obtain the plaintext password. The 'web_svc' account has local administrative privileges on the web server. Using these credentials, you authenticate to the web server via RDP. From there, you want to pivot to the database server to extract credit card information stored in the database. The database server only allows connections from the web server on port 1433 (SQL Server). Using the 'web_svc' account, you are able to connect to the database server using SQL Server Management Studio. However, you find that the 'web_svc' account has only 'public' and 'guest' database roles, which do not allow reading any sensitive tables. You need to escalate privileges on the database server. What is the most effective next step?

A penetration tester is analyzing a Windows 10 system and runs the following command to dump password hashes from the SAM database. The output shows hashes for local users but some are missing. Which step is most likely missing?

Which TWO vulnerabilities are associated with buffer overflow attacks?

Based on the exhibit, which service should be targeted first to gain initial access with the highest chance of success?

Exhibit

Refer to the exhibit.

Target: 192.168.1.10
Port scanning results:
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open    https
3306/tcp open    mysql
8080/tcp open    http-proxy

Vulnerability scan summary:
- SSH: OpenSSH 7.2p2 (CVE-2016-6210 - High)
- HTTP: Apache 2.4.7 (CVE-2015-0228 - Medium)
- MySQL: MySQL 5.5.52 (CVE-2016-6662 - Critical)
- Proxy: Squid 3.5.23 (CVE-2019-12524 - High)

Drag and drop the steps to configure a firewall rule in iptables to block incoming SSH traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each type of attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Social engineering via deceptive emails

Intercepting communication between two parties

Inserting malicious SQL queries into input fields

Overwhelming a system to make it unavailable

Associating attacker's MAC with victim's IP

Refer to the exhibit. An analyst runs netstat on a Windows server and observes multiple established connections to port 3389 from internal IPs. Which attack is most likely occurring?

Exhibit

netstat -ano | findstr :3389
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1234
  TCP    192.168.1.10:3389      10.0.0.5:49152        ESTABLISHED     1234
  TCP    192.168.1.10:3389      10.0.0.6:49153        ESTABLISHED     1234
netstat -ano | findstr :445
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       5678
  TCP    192.168.1.10:445       192.168.1.20:49154     ESTABLISHED     5678

Refer to the exhibit. A security auditor reviews the password hashes. Which user has the weakest password hash?

Exhibit

# /etc/shadow (partial)
root:$6$xyz$abcdef...:18000:0:99999:7:::
admin:$6$abc$12345...:18005:0:99999:7:::
user:$1$def$67890...:18000:0:99999:7:::
# /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
ENCRYPT_METHOD SHA512

Refer to the exhibit. An attacker wants to exploit a known vulnerability. Which service is most likely vulnerable to CVE-2019-0215?

Exhibit

nmap -sV -p 22,80,443,8080 192.168.1.100
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.100
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
443/tcp  open  ssl/http   Apache httpd 2.4.18 ((Ubuntu))
8080/tcp open  http-proxy Squid http proxy 3.5.12
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Refer to the exhibit. A penetration tester runs hashcat to crack NTLM hashes. Which hash mode (-m) would be correct for NTLM?

Exhibit

c:\) hashcat -m 1000 -a 0 hashes.txt wordlist.txt --show
$1$abc$12345:password
$5$xyz$67890:qwerty
$6$def$11111:letmein
$2y$10$abcdefg:hunter2
c:\) hashcat -m 1000 -a 0 hashes.txt wordlist.txt --potfile-disable
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst checks for missing patches. Which vulnerability is this system likely exposed to?

Exhibit

C:\Users\Admin> wmic qfe get HotFixID,InstalledOn
HotFixID   InstalledOn
KB4569558  9/17/2020
KB4570333  9/17/2020
KB4574727  9/8/2020
KB4577586  9/8/2020
C:\Users\Admin> ver
Microsoft Windows [Version 10.0.19041.508]
C:\Users\Admin> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    CurrentBuild    REG_SZ    19041

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Vulnerability Analysis and System Hacking sessions

Start a Vulnerability Analysis and System Hacking only practice session

Every question in these sessions is drawn from the Vulnerability Analysis and System Hacking domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Vulnerability Analysis and System Hacking?
Vulnerability Analysis and System Hacking questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Vulnerability Analysis and System Hacking questions in a focused session?
Yes — the session launcher on this page draws every question from the Vulnerability Analysis and System Hacking domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.