CEH Certification Practice Test: 65+ Must-Know Questions

The CEH certification (Certified Ethical Hacker) is one of the most widely recognized credentials for professionals entering or advancing in offensive cybersecurity roles. Offered by EC-Council, CEH certification validates foundational knowledge across ethical hacking techniques, attack methodologies, tools, and—most importantly—ethical responsibility.

Unlike narrowly focused penetration testing certifications, the CEH certification is broad by design. It introduces candidates to networking fundamentals, reconnaissance, vulnerability assessment, system hacking, and security controls, all through the lens of an ethical hacker operating under legal authorization.

This article is written for aspiring ethical hackers, SOC analysts, security engineers, and IT professionals currently studying for CEH certification or evaluating whether it aligns with their career goals. You’ll gain a clear understanding of what CEH certification actually tests, how to think through exam scenarios, and why conceptual clarity matters more than memorization.

A complete free practice test, quiz, and flashcards related to this topic are available at the bottom of this article.

What the CEH Certification Is (and Is Not)

The CEH certification is an entry-to-intermediate credential focused on awareness, methodology, and controlled offensive thinking. It does not certify mastery of exploitation frameworks or real-world red-team operations.

Instead, CEH emphasizes:

Understanding how attacks work
Recognizing attacker behavior and intent
Knowing which tools are used and why
Applying ethical and legal constraints at every step

This is why CEH remains popular with organizations—it ensures that certified professionals understand both offense and responsibility.

Ethics and Professional Responsibility in CEH

One of the most underestimated CEH certification topics is ethics.

Ethical hacking begins with authorization, confidentiality, and trust. CEH scenarios frequently reinforce that sensitive information discovered during an engagement must be protected and not disclosed, regardless of how valuable or interesting it may be.

From an exam perspective, this means:

Client confidentiality always outweighs curiosity
Sensitive findings are reported only through approved channels
Sharing discovered data externally is a violation of ethics

This ethical foundation appears early and often in CEH-style questions because it defines what separates an ethical hacker from a malicious one .

Reconnaissance and OSINT: Learning Before Touching

Passive vs Active Information Gathering

CEH places strong emphasis on reconnaissance, especially open-source intelligence (OSINT). Candidates are expected to understand how attackers gather information before launching attacks.

Examples include:

Using public job postings to infer technology stacks
Querying DNS records to map domains
Using WHOIS to identify IP ownership

A critical CEH lesson is that information exposure often starts publicly, long before a firewall is tested.

Networking Fundamentals Every CEH Candidate Must Know

OSI Model and Device Roles

CEH expects candidates to understand foundational networking concepts without ambiguity. For example:

Switches primarily operate at Layer 2, forwarding traffic using MAC addresses
Routers function at Layer 3, making IP-based decisions

These aren’t trick questions—but they expose weak fundamentals quickly.

TCP/IP and the Three-Way Handshake

The TCP three-way handshake (SYN, SYN/ACK, ACK) establishes:

Reliable communication
Sequence number synchronization
Session readiness

Understanding this process is essential for grasping port scanning, session hijacking, and firewall behavior.

Scanning and Enumeration: Seeing What Exists

Port Scanning Logic

Tools like nmap are central to CEH, but the exam focuses on why scans behave a certain way.

For example:

A SYN scan is “half-open” and more stealthy
A TCP Connect scan completes the handshake and is easily logged

Understanding scan behavior matters more than memorizing flags.

UDP Ambiguity

UDP scanning introduces uncertainty. When a scanner reports open|filtered, it means:

No response was received
The port may be open or filtered by a firewall

CEH tests your ability to interpret ambiguity, not just outputs.

Vulnerability Scanning vs Exploitation

A core CEH certification distinction is between finding weaknesses and exploiting them.

Vulnerability scanners such as Nessus or OpenVAS:

Identify known issues
Match services to vulnerability signatures
Do not exploit systems

CEH expects candidates to recognize that scanners support risk identification, not compromise.

False Positives and False Negatives Explained

This concept appears frequently because it mirrors real-world security operations.

False positives: Reported issues that don’t actually exist
False negatives: Real vulnerabilities that go undetected

False negatives are more dangerous because they create a false sense of security—a critical insight for any ethical hacker.

System Hacking and Persistence

Maintaining Access (Persistence)

Once access is gained, attackers often attempt to maintain it. In CEH, this phase focuses on:

Backdoors
Scheduled tasks
Persistence mechanisms surviving reboots

Understanding persistence helps defenders detect long-term compromise

Firewalls and Security Controls

Stateful vs Deep Packet Inspection (DPI)

CEH distinguishes between firewall types:

Stateful firewalls track connection state
DPI firewalls inspect packet payloads for malicious content

This distinction helps candidates understand layered defenses and detection depth.

Administrative Controls Matter

Not all security controls are technical. Policies, standards, and procedures are classified as administrative controls, reinforcing that security governance extends beyond hardware and software.

DNS, SMTP, and Service Enumeration

CEH tests protocol-specific enumeration knowledge, such as:

NS records identifying authoritative name servers
VRFY command for SMTP user validation
rpcinfo for enumerating RPC services

These topics emphasize how misconfigured services leak information.

Exploit Databases and Proof of Concept Code

CEH does not require exploit development, but it expects awareness of resources like Exploit-DB:

A repository of public exploit code
Used for validation and testing
Searchable via tools like searchsploit

This reinforces ethical usage: understanding exploits, not weaponizing them irresponsibly.

Advanced Concepts: Kerberoasting and Lateral Movement

CEH introduces modern attack techniques at a conceptual level. For example:

Kerberoasting targets service account tickets in Active Directory
Extracted tickets are cracked offline to recover passwords

The goal is awareness—recognizing attack patterns defenders must mitigate.

How to Study for the CEH Certification Effectively

Focus on Concepts, Not Tools Alone

CEH exams reward candidates who:

Understand attack logic
Interpret scenarios correctly
Apply ethical constraints consistently

Memorizing commands without understanding why they work is a common failure point.

Use Practice Tests for Knowledge Validation

High-quality practice questions help you:

Identify weak conceptual areas
Reinforce correct reasoning
Practice interpreting exam-style scenarios

They should be treated as learning tools, not predictors or guarantees of exam outcomes.

Please do not forget to checkout other free EC-Council practice tests on CertyBuddy.com: https://certybuddy.com/practice-tests/?vendor=ec-council

External References for Deeper Learning

For authoritative and up-to-date material, consult:

Conclusion: What CEH Certification Really Proves

The CEH certification demonstrates that you understand how attacks work, how systems fail, and how ethical boundaries shape professional security testing. It does not promise instant expertise—but it establishes a solid foundation for defensive and offensive roles alike.

If you’re preparing for CEH, the most effective next step is to validate your understanding, identify gaps, and reinforce fundamentals.

Start now by exploring CertyBuddy’s free CEH practice tests, quizzes, and flashcards to strengthen your confidence and confirm your readiness—one concept at a time.

/66

Ultimate EC-Council CEH Certification (v12) Practice Test

This psychological trigger is why a uniform or a title can be so persuasive.

1 / 66

Which principle of social engineering relies on the human tendency to comply with requests from figures like police officers, managers, or IT support personnel?

Reciprocity

Scarcity

Authority

Social Proof

This architecture removes a major component that system administrators traditionally spend a lot of time securing and patching.

2 / 66

What is a primary security benefit of a ‘serverless’ computing architecture?

It significantly reduces the attack surface by removing the need for the customer to manage and secure an underlying operating system.

It eliminates the possibility of web application vulnerabilities like SQL injection or cross-site scripting.

It provides built-in, foolproof authentication and access control for all functions.

All data transferred between serverless functions is automatically encrypted with the strongest possible algorithms.

This function involves implementing the safeguards that are in place before an incident occurs.

3 / 66

The NIST Cybersecurity Framework is built around five core functions. Which function is concerned with developing and implementing appropriate activities to ensure the resilience of systems and the organization?

Protect

Detect

Respond

Identify

Imagine having data on an old floppy disk but no floppy drive to read it; the data lacks this property.

4 / 66

According to the Parkerian Hexad, which property describes the usability of data, considering factors like format and accessibility with current technology?

Confidentiality

Utility

Authenticity

Possession

This model creates a ‘demilitarized zone’ between the business network and the factory floor network.

5 / 66

The Purdue Model for Industrial Control Systems (ICS) architecture is designed to create separation between different functional zones. What is the primary purpose of this segmentation?

To improve network performance by reducing broadcast traffic.

To ensure all devices, from corporate desktops to factory floor sensors, can communicate freely with each other.

To comply with financial regulations like Sarbanes-Oxley (SOX).

To separate the sensitive Operational Technology (OT) network from the business-focused Information Technology (IT) network.

This option helps you distinguish between different types of web servers running on port 80, for example.

6 / 66

An ethical hacker uses nmap with the `-sV` flag. What is the primary purpose of this flag?

To identify the operating system of the target host.

To determine the version of the service or application running on an open port.

To perform a very stealthy scan that is unlikely to be detected.

To enable verbose output, showing detailed information about the scan process.

This special address allows a machine to communicate with itself over the network stack.

7 / 66

In IPv4 addressing, what is the purpose of the 127.0.0.0/8 address range?

It is reserved for loopback addresses, which refer to the local host itself.

It is reserved for broadcasting messages to all hosts on the local network.

It is a range of private, non-routable IP addresses for use within LANs.

It is used for automatic private IP addressing (APIPA) when a DHCP server is unavailable.

This type of malware acts like a chameleon, changing its appearance to blend in and avoid being caught.

8 / 66

What is the defining characteristic of polymorphic malware?

It rewrites its own code for each new infection, changing its signature to evade detection by antivirus software.

It infects systems without writing any files to the disk, operating only in memory.

It is delivered inside a legitimate-looking program, tricking the user into running it.

It spreads automatically from one computer to another without user intervention.

This tool helps identify services that allow programs on one computer to execute procedures on a remote server.

9 / 66

During service enumeration, an ethical hacker uses the `rpcinfo` command. What is the primary purpose of this tool?

To walk the Management Information Base (MIB) tree on a network device using SNMP.

To list all file shares available on a Windows system using the SMB protocol.

To query a remote host's portmapper (rpcbind) service to identify registered RPC programs and their assigned ports.

To verify the existence of specific email addresses on a mail server using the SMTP protocol.

This type of cryptography is used to solve the ‘key exchange problem’ at the beginning of a secure session.

10 / 66

In a hybrid cryptosystem used for a TLS connection, what is the typical role of asymmetric cryptography?

To encrypt all the bulk data, such as the web page content, being transferred.

To securely exchange or establish a shared symmetric key that will be used for the session.

To replace the need for a certificate authority (CA) to verify identity.

To generate a cryptographic hash of the message for integrity checking.

Think about the evolution of security in network management protocols, specifically regarding authentication and confidentiality.

11 / 66

What is the primary security weakness of SNMPv1 that SNMPv3 was designed to address?

SNMPv1 is too slow for modern high-speed networks, while SNMPv3 is optimized for performance.

SNMPv1 uses weak, plaintext community strings for authentication and lacks any encryption.

SNMPv1 can only manage network devices, while SNMPv3 can also manage server operating systems.

SNMPv1 uses UDP, which is unreliable, while SNMPv3 uses TCP for guaranteed delivery.

Think of this as an attacker moving from room to room inside a house after breaking in through one window.

12 / 66

In the context of enterprise security, what is ‘lateral movement’?

An attacker performing internal reconnaissance to map out the network structure.

Escalating privileges from a standard user to an administrator on a single compromised machine.

The process of exfiltrating stolen data from the network to an external server.

The technique of using a compromised system to gain access to other systems within the same network.

Think about how TCP ensures that communication is reliable and ordered before any actual data is sent.

13 / 66

What is the primary purpose of the three-way handshake in the TCP protocol?

To broadcast a request to all hosts on a local network to discover available services.

To determine the MAC address associated with a target IP address.

To establish a reliable, connection-oriented session between two systems by synchronizing sequence numbers.

To negotiate the data format, such as character encoding (ASCII, Unicode), for the application layer.

Consider how many keys are involved in the process for each type of cryptography.

14 / 66

What is the primary difference between symmetric and asymmetric key cryptography?

Symmetric cryptography provides non-repudiation, while asymmetric cryptography does not.

Symmetric cryptography is significantly slower and more resource-intensive than asymmetric cryptography.

Symmetric cryptography uses a single shared key for both encryption and decryption, while asymmetric cryptography uses a pair of keys (public and private).

Symmetric cryptography is used for hashing, while asymmetric cryptography is used for encryption.

The key aspect of this attack is that the malicious script is saved by the website itself.

15 / 66

An attacker injects the following string into a comment box on a website: . The script is saved by the server and executes in the browser of every user who views the page containing the search results. What type of attack is this?

Command Injection

Reflected Cross-Site Scripting (XSS)

Persistent (or Stored) Cross-Site Scripting (XSS)

DOM-based Cross-Site Scripting (XSS)

This command’s name is an abbreviation for the action it performs: confirming an address.

16 / 66

An ethical hacker wants to enumerate users on a target’s SMTP server. Which SMTP command would be most direct for verifying if a single, specific username exists?

RCPT TO

DATA

VRFY

HELO

This is a specialized hardware component on the motherboard designed to handle cryptographic keys securely.

17 / 66

What is the primary function of a Trusted Platform Module (TPM) in relation to full disk encryption like BitLocker?

To significantly speed up the encryption and decryption process using hardware acceleration.

To scan the system for malware before the operating system boots.

To serve as a backup for user data in case the primary drive fails.

To provide a secure, hardware-based location to store the disk encryption keys.

One of these scan types is considered ‘half-open’ and is less likely to show up in application logs.

18 / 66

In nmap, what is the key difference between a SYN scan (-sS) and a TCP Connect scan (-sT)?

A SYN scan is slower and more easily detected by firewalls than a TCP Connect scan.

A SYN scan completes the full three-way TCP handshake, while a TCP Connect scan does not.

A SYN scan can only be used to scan UDP ports, while a TCP Connect scan is for TCP ports.

A SYN scan does not complete the three-way handshake, making it stealthier, while a TCP Connect scan completes the handshake, which is easily logged.

This attack manipulates a local network’s ‘address book’ that maps IP addresses to physical hardware addresses.

19 / 66

What is the primary mechanism behind an ARP spoofing (or ARP poisoning) attack?

Flooding the target with DNS requests to exhaust its resources.

Sending forged ARP reply messages to a victim's machine to associate the attacker's MAC address with a legitimate IP address.

Exploiting a vulnerability in the TCP/IP stack to cause a system crash.

Creating a rogue Wi-Fi access point with the same name as a legitimate one.

This process creates a digital ‘fingerprint’ of a file or message.

20 / 66

What is the purpose of a cryptographic hash function like SHA-256?

To encrypt a message so that it can be decrypted later with a key.

To generate a pair of public and private keys for secure communication.

To compress a large file into a smaller size for efficient storage.

To create a unique, fixed-length digest of a piece of data that can be used to verify its integrity.

Consider the connectionless nature of UDP and how that makes it difficult to interpret a lack of a reply.

21 / 66

When performing a port scan, what does the state `open|filtered` typically indicate about a UDP port?

The port is open, but it is filtered by an application-layer gateway that is inspecting the traffic.

The scanner received no response, so it cannot determine if the port is open or if a firewall is dropping the probe.

The port is confirmed to be closed, but a firewall is blocking the response message.

The port is confirmed to be open and is actively accepting connections.

This property of the CIA triad ensures that data has not been tampered with or corrupted.

22 / 66

What security property is primarily compromised by a man-in-the-middle attack where data is intercepted and altered in transit?

Possession

Integrity

Availability

Confidentiality

This attack manipulates the application’s memory to change its flow of execution.

23 / 66

What is the primary goal of a buffer overflow attack?

To cause a denial of service by making the application crash.

To fill the server's memory with data, preventing other applications from running.

To overwrite the return address on the stack to redirect program execution to attacker-supplied shellcode.

To inject malicious SQL queries into the application's database.

This resource is the counterpart to a vulnerability database (like CVE); it contains the ‘how-to’ for taking advantage of the listed weaknesses.

24 / 66

What is the primary function of the Exploit-DB repository in the context of system hacking?

To function as a command-and-control framework for managing compromised systems.

To provide a real-time feed of ongoing cyberattacks around the world.

To serve as a public archive of exploit code and shellcode for known vulnerabilities.

To act as an automated vulnerability scanner that finds and reports weaknesses.

This term describes an event where two different items have the same ‘fingerprint’.

25 / 66

What is a ‘collision’ in the context of a cryptographic hash function?

When the hashing algorithm crashes due to an invalid input format.

When the time taken to compute a hash exceeds a predefined limit.

When two different inputs produce the exact same hash output.

When a hash value is successfully reversed to reveal the original input data.

One type of firewall remembers the conversation, while the other reads the conversation’s content.

26 / 66

What is the primary difference between a stateful firewall and a deep packet inspection (DPI) firewall?

A stateful firewall operates at the Application Layer (Layer 7), while a DPI firewall operates at the Network Layer (Layer 3).

A stateful firewall can block traffic, while a DPI firewall can only log and alert on suspicious traffic.

A stateful firewall tracks connection states (e.g., NEW, ESTABLISHED), while a DPI firewall examines the actual data payload of the packets.

A stateful firewall only filters based on IP addresses and ports, while a DPI firewall also considers the state of the connection.

This technique attempts to remove the ‘S’ (Secure) from web traffic.

27 / 66

An attacker on a local network uses a tool that intercepts HTTP traffic and replaces HTTPS links with HTTP links to capture credentials. What is this tool or technique called?

DNS Spoofing

Wireshark

sslstrip

tcpdump

The name of this record type directly corresponds to its function of identifying servers that manage domain names.

28 / 66

An ethical hacker wants to find the authoritative name servers for a target domain. Which DNS record type should they query for?

A (Address) Record

CNAME (Canonical Name) Record

MX (Mail Exchanger) Record

NS (Name Server) Record

By creating an attractive network, the attacker tricks users into connecting through their malicious device.

29 / 66

An attacker sets up a rogue Wi-Fi access point in a coffee shop with the SSID ‘Free_Coffee_Shop_WiFi’. What is the primary goal of this attack?

To crack the WPA2 password of the legitimate coffee shop network.

To trick users into connecting to the attacker's network to intercept their traffic, capture credentials, or deploy malware.

To perform a DHCP starvation attack against the legitimate access point.

To jam the radio frequencies used by the legitimate access point, causing a denial of service.

This architecture assumes an attacker will eventually get inside and focuses on making their subsequent actions difficult and noisy.

30 / 66

A security team implements a defensible network architecture. What is a key principle of this approach that distinguishes it from a traditional defense-in-depth model?

Focusing solely on a strong perimeter firewall to prevent all intrusions.

Layering multiple preventive technologies like firewalls and antivirus without considering visibility.

Building the network in a way that facilitates easy monitoring and control to quickly detect and contain lateral movement.

Replacing all technological controls with administrative controls like policies and procedures.

These tools are designed to find potential security holes, not to break through them.

31 / 66

What is a primary objective of a vulnerability scanner like OpenVAS or Nessus?

To intelligently test for known vulnerabilities based on open ports and services, without attempting to compromise the system.

To map the network topology and identify all active hosts and their MAC addresses.

To gain administrative access to the target system by exploiting identified weaknesses.

To craft and send custom packets to test firewall rules and intrusion detection systems.

Each operator in a Google dork serves a very specific filtering function.

32 / 66

A penetration tester uses the Google dork `site:example.com filetype:pdf intext:”confidential”`. What is the goal of this search?

To find all confidential documents on example.com, regardless of file type.

To find all web pages on any site that link to PDF files on example.com.

To find PDF files located on the example.com domain that contain the word 'confidential'.

To find web pages on example.com where the word 'pdf' and 'confidential' appear in the URL.

This software turns an infected machine into a ‘zombie’ awaiting orders from its master.

33 / 66

A botnet client is installed on a compromised computer. What is the primary function of this client software?

To connect back to a command-and-control (C2) infrastructure to receive instructions.

To capture keystrokes and steal passwords from the infected user.

To encrypt all the files on the computer and demand a ransom.

To spread to other computers on the local network without user interaction.

Consider the type of address this device uses to make its forwarding decisions on a local network.

34 / 66

A switch in a star network topology primarily operates at which layer of the OSI model?

Layer 3 (Network Layer)

Layer 2 (Data Link Layer)

Layer 1 (Physical Layer)

Layer 4 (Transport Layer)

This toolkit automates the use of a very popular and comprehensive penetration testing framework.

35 / 66

The Social-Engineer Toolkit (SET) is a powerful tool for automating attacks. What underlying framework does it primarily leverage for its payload and listener capabilities?

Wireshark

Metasploit Framework

Nmap Scripting Engine (NSE)

John the Ripper

This process is designed to make the malicious payload look different each time to avoid signature-based security.

36 / 66

What is the primary purpose of using an encoder like `shikata_ga_nai` in `msfvenom`?

To obscure the payload's signature and evade detection by antivirus and intrusion detection systems.

To compile the source code of the payload into a machine-readable format.

To digitally sign the payload so it appears to come from a trusted source.

To compress the payload to a smaller size for faster delivery over the network.

This technique is a form of brute-forcing, but for resource names instead of passwords.

37 / 66

When using a web enumeration tool like `gobuster` or `dirb`, what is the primary technique being employed?

Using a wordlist to rapidly guess and check for the existence of hidden directories and files on a web server.

Analyzing the SSL/TLS certificate to find misconfigurations and weak ciphers.

Intercepting and modifying HTTP traffic between a user and the server.

Injecting SQL commands into web forms to query the backend database.

This hardware device is like putting a ‘Y’ splitter in a network cable to get a copy of the data.

38 / 66

What is the primary function of a network tap in the context of sniffing?

To actively block malicious network traffic based on a set of rules.

To assign IP addresses to clients on a network.

To create a physical, non-intrusive copy of network traffic that can be sent to a monitoring device without affecting the live network.

To amplify network traffic for the purpose of a Distributed Denial of Service (DDoS) attack.

This attack succeeds when the application mixes user data with database commands.

39 / 66

What is the primary vulnerability exploited by a SQL injection attack?

The web application failing to properly sanitize or validate user-supplied input before including it in a database query.

The web server failing to encrypt traffic between the client and server.

The user's web browser having scripting enabled, allowing malicious code to run.

The database server using a weak password for the administrator account.

This technique attempts to get a full ‘phone book’ of a domain’s hosts, rather than asking for one number at a time.

40 / 66

What is the primary advantage of using a `zone transfer` over multiple individual DNS queries for reconnaissance?

A zone transfer is stealthier and less likely to be logged by the target's DNS server.

A zone transfer can reveal internal, non-public hostnames that individual queries might miss.

A zone transfer encrypts the DNS data in transit, protecting it from eavesdropping.

A zone transfer can only be performed against a caching DNS server, not an authoritative one.

This phase is also known as establishing ‘persistence’ on a compromised system.

41 / 66

In the five phases of ethical hacking, what is the key objective of the ‘Maintaining Access’ phase?

To remove all logs and artifacts of the intrusion to avoid detection.

To install mechanisms that ensure continued entry to a system, even after a reboot or user logout.

To identify all active hosts and open ports on the target network.

To escalate privileges from a standard user account to an administrative or root account.

This technique involves sending a packet that violates the rules of the protocol to observe the target’s reaction.

42 / 66

An attacker uses the `hping` tool to send TCP packets with both the SYN and FIN flags set, a combination that should not occur in normal traffic. What is the likely purpose of this action?

To perform a standard TCP port scan to check for open ports.

To establish a fully functional, encrypted connection with the target.

To initiate a Distributed Denial of Service (DDoS) attack by exhausting server resources.

To test the target's network stack and security devices to see how they respond to poorly constructed packets.

These controls are about governance and managing people and processes, rather than technology or physical barriers.

43 / 66

Which type of security control are security policies, standards, and procedures considered to be?

Physical Controls

Administrative Controls

Technical Controls

Corrective Controls

Consider the level of responsibility: in one model you manage the operating system and applications, in the other you just use the software.

44 / 66

What is a key difference between IaaS (Infrastructure as a Service) and SaaS (Software as a Service)?

IaaS is typically used for developing new applications, while SaaS is used for data storage.

IaaS provides the application and the underlying infrastructure, while SaaS provides only the virtual hardware.

IaaS provides access to virtualized computing resources like VMs and storage, giving the customer high control, while SaaS delivers a complete, ready-to-use application over the internet.

IaaS is deployed on a private cloud, whereas SaaS is deployed on a public cloud.

Think about how malware might hide its true code from static analysis tools.

45 / 66

An analyst examining a Portable Executable (PE) file finds that the `.text` section is very small, while the `.data` section is unusually large. What does this often indicate?

The program is a simple command-line utility with minimal code.

The executable is likely packed or encrypted, with the main payload stored as data.

The file is corrupted and cannot be executed properly.

The program has been compiled with extensive debugging information included.

This model’s rules are designed to prevent information from flowing from a higher security level to a lower one.

46 / 66

The Bell-LaPadula security model is primarily concerned with enforcing which security principle?

Confidentiality

Non-repudiation

Availability

Integrity

Think about the ‘Required Skills’ section of a technical job posting.

47 / 66

During open-source intelligence (OSINT) gathering, what kind of information might an ethical hacker find in a company’s job listings on sites like LinkedIn?

The private IP addresses of internal servers.

The full source code for the company's proprietary applications.

Usernames and passwords for corporate accounts.

Specific technologies in use, such as firewall vendors (e.g., Palo Alto), router manufacturers (e.g., Cisco), and cloud platforms (e.g., AWS).

Before you can move sideways, you often need to move up.

48 / 66

After gaining initial access to a Windows system with a low-privilege shell, what is the next logical step for an attacker aiming for deeper compromise?

Immediately pivot to other machines on the network using the current credentials.

Install a keylogger to capture user passwords.

Wipe all system logs to cover their tracks.

Search for and execute a local privilege escalation exploit.

Think about the physical layout and the components needed to prevent signal degradation in each setup.

49 / 66

What distinguishes a bus network topology from a star network topology?

A bus network is more fault-tolerant because if one system fails, the rest of the network remains operational.

A bus network requires terminators at each end of the cable, while a star network does not.

A bus network uses switches for intelligent traffic forwarding, while a star network uses hubs.

A bus network connects every device to every other device, while a star network connects all devices to a central point.

This physical control system ensures that only one person can pass through a checkpoint for each successful authentication.

50 / 66

What is a ‘man trap’ designed to prevent?

Denial-of-service attacks against a building's biometric scanners.

Social engineers impersonating delivery drivers to gain access.

Tailgating, where an unauthorized person follows an authorized person through a secure door.

The cloning of RFID-based proximity cards.

IoT devices are typically single-purpose and lack the features of a general-purpose computer.

51 / 66

Which of the following would NOT be considered an Internet of Things (IoT) device?

A network-connected thermostat that can be controlled by a mobile app.

A digital video recorder (DVR) that can be programmed over the internet.

A smart light switch that connects to a home Wi-Fi network.

A Chromebook running Chrome OS.

This technique uses the first compromised machine as a stepping stone to reach deeper into the target’s network.

52 / 66

What is the technique of ‘pivoting’ in a penetration test?

Finding a zero-day vulnerability and developing a custom exploit for it.

Rapidly changing the source IP address of an attack to evade detection.

Encrypting all data on a compromised system and demanding a ransom.

Using a compromised system to attack other systems on different, internal network segments.

This architectural style thinks of an application not as one big program, but as a collection of smaller, independent programs working together.

53 / 66

What is a key characteristic of a service-oriented architecture (SOA)?

All data is stored in a single, large relational database table to improve performance.

The application is designed to run exclusively on mainframe computers.

Application functionality is broken down into distinct, reusable services that communicate with each other over a network.

The entire application logic is contained within a single, monolithic executable file.

This attack is like having one person take all the tickets from a dispenser, leaving none for anyone else.

54 / 66

What is the goal of a DHCP starvation attack?

To cause the DHCP server to crash by sending malformed DHCP packets.

To modify the DHCP server's configuration to hand out malicious DNS server addresses.

To steal the DHCP server's administrative credentials.

To exhaust all available IP addresses from the legitimate DHCP server's pool, allowing a rogue DHCP server to respond to new clients.

This Windows file system feature allows a file to have more than one stream of data, but only one is typically visible.

55 / 66

An attacker hides a malicious payload within a seemingly benign file using an Alternate Data Stream (ADS) on an NTFS filesystem. What is the primary advantage of this technique?

The technique works on any file system, including FAT32 and ext4.

The payload can be executed directly by double-clicking the host file.

The data is automatically encrypted by the file system, protecting it from analysis.

The file size reported by standard tools like Windows Explorer will not change, making the payload difficult to detect.

This category of database is known for its schema-less flexibility and is often associated with modern web applications.

56 / 66

Which database type uses a flexible structure of key-value pairs, as might be represented by JSON, and does not enforce a rigid schema like a traditional relational database?

Relational Database

Hierarchical Database

Object-Oriented Database

NoSQL Database

These organizations are responsible for the allocation and registration of number resources on the internet.

57 / 66

What is the primary purpose of using the `whois` tool against a Regional Internet Registry (RIR) like ARIN or RIPE NCC?

To search social media sites for employees of a target company.

To identify the organization that owns a specific block of IP addresses.

To find all hostnames associated with a specific domain name.

To obtain the SSL/TLS certificate for a secure website.

This technique is like leaving a tempting but dangerous object for someone to find.

58 / 66

What is the social engineering technique of ‘baiting’?

Following an authorized person through a secure door without using a badge.

Making a phone call while pretending to be someone else, such as a help desk technician, to elicit information.

Leaving a malware-infected USB drive in a public place, like a parking lot, for someone to find and plug into their computer.

Sending a targeted email to a specific individual to trick them into revealing sensitive information.

This type of ARP message is unsolicited and can be used to maliciously update the address tables of other devices.

59 / 66

A packet capture shows a series of gratuitous ARP packets being broadcast on the network. What is likely occurring?

An ARP spoofing attack is in progress, attempting to poison the ARP caches of hosts on the network.

The primary network switch has failed, and hosts are attempting to find a new path to the gateway.

Multiple new devices are joining the network and requesting IP addresses from the DHCP server.

A port scanner is actively probing all hosts on the network to find open TCP ports.

This attack is like having many people start a conversation with a server but never finishing their sentences.

60 / 66

A `slowloris` attack is a type of denial-of-service attack that targets a web server. How does it work?

By sending a massive volume of UDP packets to overwhelm the server's network bandwidth.

By sending fragmented IP packets that overlap, causing the server's operating system to panic and reboot.

By opening many connections to the web server and keeping them open by sending partial HTTP requests very slowly.

By exploiting a vulnerability in the server's software that causes it to crash with a single malformed packet.

This type of analysis is like reading the blueprints of a machine without ever turning it on.

61 / 66

In malware analysis, what is the primary goal of static analysis?

To allow the malware to infect a virtual machine and then analyze the memory dump for artifacts.

To reverse-engineer the malware's command-and-control protocol by communicating with the live server.

To analyze the malware's code and properties without executing it, using tools like disassemblers and string viewers.

To observe the malware's behavior in a controlled sandbox environment, monitoring its network connections and file system changes.

This attack targets the authentication tickets used by service accounts in an Active Directory environment.

62 / 66

What is Kerberoasting?

A password cracking attack that extracts service account ticket hashes from memory to crack them offline.

An attack that exploits a vulnerability in the SMB protocol to gain remote code execution.

A denial-of-service attack that floods a domain controller with authentication requests.

A method of privilege escalation that involves modifying the Kerberos authentication process to grant administrative rights.

This tool is part of the Samba package and serves as the non-Windows counterpart to a common Windows networking command.

63 / 66

What is a significant advantage of using the `nmblookup` tool on a Linux system during enumeration?

It enumerates Java RMI services registered with a remote rmiregistry.

It can exploit the EternalBlue vulnerability to gain remote access.

It provides functionality similar to the Windows `nbtstat` tool for querying NetBIOS names over TCP/IP.

It can perform a full TCP port scan of the target host.

Consider the perspective of the scanner’s report versus the actual state of the system.

64 / 66

What is the primary difference between a false positive and a false negative in the context of a vulnerability scan?

A false positive is a real vulnerability missed by the scanner, while a false negative is a non-issue flagged as a vulnerability.

Both false positives and false negatives refer to vulnerabilities that automated tools cannot exploit, requiring human intervention.

A false positive is an issue the scanner correctly identifies, while a false negative is an issue the scanner fails to identify.

A false positive is when a scanner indicates an issue that doesn't exist, while a false negative is when the scanner misses a real vulnerability.

This model offers a complete ‘platform’ for developers to build upon, without needing to manage the OS or underlying virtual machines.

65 / 66

Which cloud computing service model provides the customer with a pre-configured system including an operating system and enterprise software like a database server, but not the underlying hardware management?

Software as a Service (SaaS)

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Storage as a Service (SaaS)

The first word in ‘ethical hacking’ is the most important part of the phrase and guides professional conduct.

66 / 66

An ethical hacker signs an agreement to protect a client’s intellectual property. During an engagement, the hacker discovers sensitive internal information. According to the CEH code of ethics, what is the primary responsibility regarding this information?

Report the sensitive information to a public vulnerability disclosure program.

Keep the discovered information private and protect it from disclosure.

Share the information with other ethical hackers to get a second opinion on its severity.

Use the information to demonstrate a deeper system compromise to the client.

Your score is