CEH Practice Exam Part 1: Certified Ethical Hacker Questions & Answers
Boost your Certified Ethical Hacker (CEH) exam readiness with this practice test. This video covers 30 essential questions to help you master key CEH concepts. Follow CertPunch for more certification prep and visit certpunch.com for additional resources.
Chapters:
00:00 Intro
00:17 Question 1 of 30
00:53 Question 2 of 30
02:16 Question 3 of 30
03:54 Question 4 of 30
04:31 Question 5 of 30
06:39 Question 6 of 30
07:59 Question 7 of 30
08:43 Question 8 of 30
09:59 Question 9 of 30
11:46 Question 10 of 30
13:08 Question 11 of 30
14:37 Question 12 of 30
15:35 Question 13 of 30
16:32 Question 14 of 30
17:29 Question 15 of 30
18:51 Question 16 of 30
20:59 Question 17 of 30
21:37 Question 18 of 30
22:12 Question 19 of 30
23:26 Question 20 of 30
24:22 Question 21 of 30
25:36 Question 22 of 30
26:24 Question 23 of 30
27:41 Question 24 of 30
29:38 Question 25 of 30
30:27 Question 26 of 30
31:09 Question 27 of 30
32:31 Question 28 of 30
33:51 Question 29 of 30
35:05 Question 30 of 30
What you will practice
- What is the CVSS severity level for a score of 9.5?
- As a newly appointed ethical hacker for XYZ Corporation, you have been assigned your first major task. The co…
- As a senior cybersecurity professional at a multinational bank, you are investigating an incident where multi…
- Which of the following tactics uses malicious code to redirect users' web traffic? Correct answer
- At XYZ Corporation, a multinational firm known for its digital services, the cybersecurity team is tasked wit…
- You are a cybersecurity consultant at a large healthcare organization. As part of your responsibilities, you…
Answers and explanations
Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.
Q1. What is the CVSS severity level for a score of 9.5?
Answer: C. Critical
A CVSS score of 9.5 is classified as Critical, making option C the correct answer.
Q2. As a newly appointed ethical hacker for XYZ Corporation, you have been assigned your first major task. The company has been facing persistent cyber threats and as a precautionary measure, you are tasked to conduct a thorough network vulner…
Answer: A. Stealth Scan (SYN Scan)
A SYN scan is the correct answer because it initiates a TCP connection without completing the handshake, making it stealthy and less likely to trigger an IDS.
Q3. As a senior cybersecurity professional at a multinational bank, you are investigating an incident where multiple systems have been infected with malware. On the affected systems, the malware remains dormant until a specific action triggers…
Answer: C. Polymorphic Malware: Employ advanced threat detection tools that use behavior-based detection techniques and ensure all systems are patched.
Polymorphic malware is correct because it changes its code to avoid detection, and behavior-based detection is the best mitigation strategy.
Q4. Which of the following tactics uses malicious code to redirect users' web traffic? Correct answer
Answer: A. Pharming
Pharming is the correct answer as it uses malicious code to redirect web traffic to fraudulent sites.
Q5. At XYZ Corporation, a multinational firm known for its digital services, the cybersecurity team is tasked with ensuring a robust, secure network environment. This responsibility includes maintaining a keen focus on vulnerability assessment…
Answer: C. Swiftly apply a virtual patch to the affected web server using a web application firewall to temporarily safeguard against potential exploits.
Applying a virtual patch via a WAF is the correct first step to temporarily block exploits of a zero-day vulnerability.
Q6. You are a cybersecurity consultant at a large healthcare organization. As part of your responsibilities, you are tasked with making sure the company's systems are secure from various attacks. Recently, you've noticed some unusual traffic p…
Answer: C. The attacker splits malicious data packets into smaller segments to avoid detection.
Packet fragmentation is the correct answer because it allows an attacker to split malicious traffic into smaller segments to evade IDS detection.
Q7. A system analyst wants to implement an encryption solution that allows safe key distribution. Which encryption method should the analyst consider?
Answer: C. Asymmetric encryption
Asymmetric encryption is correct because it uses a public key for distribution while keeping the private key secure.
Q8. You're a security analyst conducting a foot printing exercise for a new client to uncover as much information as possible without direct interaction. Your preliminary investigation using search engines and public databases has provided a s…
Answer: C. Google Hacking can help identify weaknesses in the client's website code.
Google Hacking is correct because it can find vulnerabilities in website code by searching for specific error messages or file types.
Q9. As a certified ethical hacker, you have been engaged to evaluate the security protocols of a smart city project. This cutting-edge venture incorporates an interconnected system featuring intelligent traffic lights, public Wi-Fi points, and…
Answer: B. Isolate the implicated traffic light from the overarching network for a detailed investigation into its firmware to identify any possible security breaches.
Isolating the device is correct to contain the breach and prevent further compromise while investigating the firmware.
Q10. You are a security consultant who has been hired to conduct security awareness training at a mid-sized organization. During the session on social engineering, you emphasize the importance of being vigilant against different types of social…
Answer: C. A person gains access to the building by following an employee through a secure door before it closes.
Following an employee through a secure door is correct as it is the definition of a tailgating physical security attack.
Q11. As a recent graduate, you've landed your first job as a junior cybersecurity analyst for a local company. Your team leader is explaining the different types of hackers and their motivations. He mentions the term "hacktivist". According to…
Answer: A. A hacker who uses their skills to promote a political agenda or a social cause, often by launching attacks against systems to draw attention to their cause.
The option promoting a political agenda is correct because hacktivists use cyber attacks to raise awareness for social causes.
Q12. An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?
Answer: C. Differential cryptanalysis on input-output differences
Differential cryptanalysis analyzes how small input changes affect ciphertext to reveal key patterns.
Q13. A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting ' OR '1'='1';–, the tester gains unauthorized access to the application. What type of SQL injection has occurred?
Answer: B. Tautology-based SQL injection
The correct answer is right because a tautology like '1=1' always evaluates true, bypassing authentication checks.
Q14. During a routine security audit, administrators found that cloud storage backups were illegally accessed and modified. What countermeasure would most directly mitigate such incidents in the future?
Answer: D. Adopting the 3-2-1 backup model.
The 3-2-1 backup model directly prevents unauthorized access through redundancy and off-site storage. SQL injection and auto-scaling are irrelevant.
Q15. Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the interesting and attractive content URL…
Answer: A. Clickjacking Attack
Clickjacking is correct as it uses transparent iframes to mislead clicks. Session fixation and HTML injection are different attack types.
Q16. To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1…
Answer: D. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit
Rule D correctly specifies source, destination, and port 443 for HTTPS. Rule B incorrectly allows HTTP, and rules A and C have syntax errors.
Q17. Which protocol uses port 443 by default?
Answer: D. HTTPS
The answer is correct as HTTPS uses port 443 for encrypted web traffic. All other options use different ports.
Q18. Which tool is used to capture and analyze network traffic in real-time?
Answer: C. Wireshark
Wireshark is the correct answer as it is the standard tool for capturing and analyzing network traffic in real-time.
Q19. After a recent breach, your team discovers that attackers used modified versions of legitimate system utilities and a Windows service to persist undetected for weeks, accessing internal credentials. What key step can be taken to better pro…
Answer: A. Monitor file hashes of sensitive executables for unauthorized changes.
The answer is correct because monitoring file hashes detects unauthorized changes to legitimate tools, preventing persistence. The other options are recovery or perimeter controls.
Q20. A future-focused security audit discusses risks where attackers collect encrypted data now, anticipating that they can decrypt it later with quantum computers. What is this threat known as?
Answer: B. Saving data today for future quantum decryption
This is the definition of a harvest-now-decrypt-later attack. Attackers store encrypted data for future decryption by quantum computers.
Q21. As a cybersecurity consultant, you are helping a small startup strengthen its information security awareness. During an internal audit, an employee reports finding a USB drive labeled "Employee Salary Info 2024" in the company parking lot…
Answer: B. Tempting the victim to engage with a malicious device using curiosity.
This is baiting, where curiosity tempts victims to interact with a malicious device, making option B the clear choice.
Q22. Identify the web application attack where attackers inject client-side scripts into web pages viewed by other users.
Answer: D. Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is correct because it involves injecting malicious scripts into web pages viewed by other users.
Q23. You are a new member of your company's IT team, and you've been assigned to understand and implement ethical hacking principles to improve the company's cybersecurity posture. Your supervisor highlights the importance of following the five…
Answer: D. Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks
The correct order is Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks, making option D right.
Q24. A security analyst working for a large financial corporation has been assigned to conduct a comprehensive penetration test on the corporation's wireless infrastructure. The infrastructure relies on a secured WPA2-PSK-secured network to ens…
Answer: B. The analyst instigated a de-authentication attack, purposely causing a mass disconnection of all clients from the access point. The analyst then attentively observed the four-way handshake process that occurred during the clients' reconnection attempts.
A de-authentication attack captures the four-way handshake to test WPA2-PSK security. This is a standard wireless penetration testing technique.
Q25. What is the purpose of an 'Exit Node' in the Tor network?
Answer: C. It is the final node that decrypts traffic and sends it to the destination
The exit node is the final hop that decrypts and sends traffic to the destination. It is a key concept in understanding Tor's anonymity model.
Q26. An attacker redirects a user to a malicious website by modifying their local hosts file. What is this called?
Answer: D. Pharming
Modifying a local hosts file to redirect a user is a classic pharming attack. This tests knowledge of social engineering and DNS manipulation.
Q27. As a security analyst, you're investigating an incident where an attacker was able to gain access to your network. Upon initial examination of the log files, you noticed a large number of TCP SYN packets sent to various ports on the networ…
Answer: D. The attacker has used a SYN scan, also known as half-open scanning, which involves sending SYN packets and waiting for SYN/ACK responses.
A SYN scan, or half-open scan, sends SYN packets without completing the handshake. This is a common stealthy port scanning technique.
Q28. Jim's company regularly performs backups of their critical servers. But the company cannot afford to send backup tapes to an off-site vendor for long-term storage and archiving. Instead, Jim's company keeps the backup tapes in a safe in th…
Answer: C. Encrypt the backup tapes and transport them in a lock box.
Encrypting backup tapes protects data confidentiality, while a lock box adds physical security during transit. Hashing is for integrity, not encryption.
Q29. A cybersecurity team at a multinational company notices unusual network traffic on their Bluetooth devices. It is suspected to be a Bluesnarfing attack, aimed at accessing unauthorized information from Bluetooth-enabled devices. Which of t…
Answer: D. Disable "Discoverable Mode" and activate "Non-discoverable Mode" on all Bluetooth devices.
Disabling discoverable mode prevents attackers from finding the device. Firmware updates and PINs are helpful but less direct against Bluesnarfing.
Q30. In a comprehensive penetration testing scenario, you are charged with the task of gaining detailed insights into a target organization's network configuration, structure, and security posture. To accomplish this task, you plan to employ a…
Answer: B. The specific usernames and passwords used by the organization's employees.
DNS interrogation cannot reveal usernames or passwords. It provides domain, IP, and server information, but not user credentials.
More CEH drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.