CEH – Certified Ethical Hacker – Practice Exam — Part 2
Test your Certified Ethical Hacker knowledge with 30 exam-style questions, clean answer reveals, and concise explanations. Topics include: In your role as a cybersecurity analyst at a large e-commerce company, you have been tasked with reinforcing the firm's . Follow @CertPunch and visit certpunch.com for more certification practice videos and study content.
Chapters:
00:00 Intro
00:17 Question 1 of 30
02:34 Question 2 of 30
03:22 Question 3 of 30
04:30 Question 4 of 30
05:35 Question 5 of 30
06:51 Question 6 of 30
08:30 Question 7 of 30
09:36 Question 8 of 30
10:58 Question 9 of 30
12:17 Question 10 of 30
13:26 Question 11 of 30
15:25 Question 12 of 30
16:40 Question 13 of 30
17:48 Question 14 of 30
19:40 Question 15 of 30
21:02 Question 16 of 30
22:03 Question 17 of 30
23:07 Question 18 of 30
24:16 Question 19 of 30
26:03 Question 20 of 30
27:06 Question 21 of 30
28:20 Question 22 of 30
29:27 Question 23 of 30
31:12 Question 24 of 30
32:16 Question 25 of 30
33:31 Question 26 of 30
34:39 Question 27 of 30
35:45 Question 28 of 30
37:25 Question 29 of 30
38:28 Question 30 of 30
What you will practice
- In your role as a cybersecurity analyst at a large e-commerce company, you have been tasked with reinforcing…
- An organization uses SHA-256 for data integrity checks but is still experiencing unauthorized data modificati…
- During a red team exercise, an attacker dresses as a network technician and gains unchallenged access to a re…
- You are tasked with assessing wireless network security for a corporation using WPA2 encryption. During the a…
- You are a security administrator for a medium-sized company. Your manager has asked you to conduct an audit o…
- As a Certified Ethical Hacker, you have been approached by a leading international corporation to assess and…
Answers and explanations
Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.
Q1. In your role as a cybersecurity analyst at a large e-commerce company, you have been tasked with reinforcing the firm's defenses against potential Denial-of-Service (DoS) attacks. During a recent review, you noticed several IP addresses ge…
Answer: B. SYN Flood: This attack floods a target with SYN requests in an attempt to consume enough server resources to make the system unresponsive, aligning with the high volume of incomplete TCP handshakes.
A SYN flood exploits incomplete handshakes to overwhelm server resources. The description matches the attack vector perfectly.
Q2. An organization uses SHA-256 for data integrity checks but is still experiencing unauthorized data modification. Which cryptographic tool can help resolve this issue?
Answer: C. Digital signatures
Digital signatures ensure data integrity by verifying that data hasn't been tampered with using cryptographic validation.
Q3. During a red team exercise, an attacker dresses as a network technician and gains unchallenged access to a restricted area. Once inside, he roams freely, observing employees and reviewing sensitive documents left unattended. Which of the f…
Answer: C. Gaining physical access by assuming the identity of a trusted internal staff.
This scenario describes physical penetration testing through impersonation, a key CEH social engineering tactic.
Q4. You are tasked with assessing wireless network security for a corporation using WPA2 encryption. During the assessment, you identify vulnerabilities that could allow attackers to intercept and replay previously captured packets. Which WPA2…
Answer: B. KRACK vulnerabilities through key reinstallation.
KRACK exploits key reinstallation to decrypt WPA2 traffic, a well-documented wireless vulnerability.
Q5. You are a security administrator for a medium-sized company. Your manager has asked you to conduct an audit of the organization's security infrastructure. While reviewing the logs from the Intrusion Detection System (IDS), you notice that…
Answer: B. The IDS is configured with very high sensitivity settings, leading to many false positives.
High sensitivity in IDS causes false positives by flagging normal user activities as threats. This is a common configuration issue.
Q6. As a Certified Ethical Hacker, you have been approached by a leading international corporation to assess and enhance their cloud-based security framework. The corporation recently transitioned to a serverless computing architecture for its…
Answer: D. Implementing a function-level permission model and enforcing the principle of least privilege.
Least privilege at the function level prevents unauthorized access in serverless architectures.
Q7. A cybersecurity team identifies suspicious outbound network traffic. Investigation reveals malware utilizing Background Intelligent Transfer Service (BITS) to evade firewall detection. Why would attackers use this particular service to hid…
Answer: A. Because BITS packets appear identical to normal Windows update traffic.
BITS mimics Windows update traffic to blend in with legitimate activity and evade detection.
Q8. During a cybersecurity training session at your organization, you present several hypothetical scenarios to the trainees to assess their understanding of social engineering threats. Which of these scenarios best describes a social engineer…
Answer: B. Sarah, a new recruit, receives a call from someone claiming to be from the IT department, who asks for her login credentials to solve a non-existing issue.
Impersonating IT to trick a user into revealing credentials is a classic social engineering attack.
Q9. During a black-box assessment, an attacker executes the Nmap command nmap -p25 –script smtp-enum-users –script-args smtp-enumusers.methods={VRFY, EXPN, RCPT). The script successfully returns multiple valid usernames. What server misconfi…
Answer: B. SMTP user verification commands are exposed without restrictions.
SMTP user enumeration commands like VRFY and EXPN are exposed without restrictions.
Q10. A red team operator is assessing the resilience of a corporate network's authentication infrastructure. They input valid usernames with specifically structured guesses based on prior intel about naming conventions, such as birthdates or fa…
Answer: A. Strategic pattern-based input using known logic.
Using known logic and patterns for targeted username guesses is a strategic, non-exhaustive approach.
Q11. As a cybersecurity analyst at a renowned software corporation, you've noticed some peculiar activity. The company's internal network has seen a sudden increase in redundant network traffic and system crashes. Initial scans have found that…
Answer: B. Worm: Quarantine the affected systems, perform an immediate network-wide sweep with the latest antivirus definitions, and update the operating system on all network systems.
A worm is correct as it self-replicates across networks. The described symptoms and remediation align perfectly with worm behavior and containment.
Q12. During a red team engagement targeting a custom web application, a tester observes that the app takes a numeric id parameter from the URL and dynamically builds SQL queries. Suspecting SQL injection, the tester sends a crafted HTTP GET req…
Answer: B. The attacker executed a second malicious query alongside the first.
The attacker executed a second query to drop the table, a classic SQL injection technique for data destruction.
Q13. You are a cybersecurity trainer and are planning a course on ethical hacking for some newcomers in your organization. While creating the content, you recall from the CEH vl2 study material that there are different types of penetration test…
Answer: B. The tester has no prior knowledge of the system to be tested.
A black box test simulates a real external attacker by providing no prior knowledge of the system.
Q14. During a routine security audit at a large financial services organization, the IT team detects severe network latency and recurring bandwidth exhaustion across its corporate WAN links. Upon deeper investigation, they discover that several…
Answer: D. An attack where compromised internal devices participate in a botnet and flood external targets with traffic.
The correct answer is right because it describes a botnet-based DDoS attack where compromised internal devices flood external targets. The trap is confusing it with an amplification attack.
Q15. A red team operator is conducting reconnaissance on a financial organization's infrastructure. While probing UDP port 123, they send NTP queries and receive a list of internal IP addresses and connected hostnames. The organization is unawa…
Answer: A. The NTP daemon is configured to accept queries from external sources without restriction.
The correct answer is right because an unrestricted NTP daemon allows external queries that leak internal IP and hostname information.
Q16. As an Ethical Hacker, you've been asked to test an application's vulnerability to SQL injection. In the process, you discover an entry field that appears susceptible. However, the backend database is unknown, and regular SQL injection tech…
Answer: C. Time-Based Blind SQL Injection
The correct answer is right because time-based blind SQLi uses delays to extract info when other methods fail.
Q17. You work as a network security officer for a large corporation. Recently, you've noticed that certain confidential files are being accessed by unauthorized users within the network. You suspect that a Man-in-the- Middle (MitM) attack is be…
Answer: C. IP addresses being resolved to multiple MAC addresses.
The correct answer is right because a single IP resolving to multiple MAC addresses indicates traffic interception.
Q18. Thomas, a cloud security professional, is performing security assessment on cloud services to identify any loopholes. He detects a vulnerability in a bare-metal cloud server that can enable hackers to implant malicious backdoors in its fir…
Answer: D. Cloudborne attack
Cloudborne attack is correct as it involves exploiting cloud infrastructure like firmware for persistent backdoors. Other options describe different cloud threats.
Q19. In a highly secure online banking environment, customers have reported unauthorized access to their accounts despite robust authentication measures in place. Upon investigation, it is discovered that attackers are employing sophisticated s…
Answer: B. Man-in-the-Browser (MitB) Attack Installing Malicious Browser Extensions to Intercept User Sessions
Man-in-the-Browser (MitB) is highly sophisticated as it uses malicious browser extensions for undetected session hijacking. XSS and sniffing are less advanced.
Q20. As the newly appointed head of IT security at a growing startup, you have been tasked with improving the company's security posture. Given the rise in social engineering attacks, you decide to set up training sessions for employees to help…
Answer: D. Pretexting
Pretexting is correct as it involves impersonating someone for information. Baiting, phishing, and quid pro quo are different social engineering methods.
Q21. During a penetration test, a security analyst encounters a web page that returns identical generic error messages regardless of input. To test for SQL injection, they submit a query that includes AND 1=1 and later AND 1=2, observing a chan…
Answer: C. The analyst is using conditional logic to infer database behavior from page responses.
Conditional logic in the queries infers database behavior from page responses, defining a boolean-based SQL injection attack.
Q22. A penetration tester intercepts HTTP requests between a user and a vulnerable web server. The tester observes that the session ID is embedded in the URL, and the web application does not regenerate the session upon login. Which session hij…
Answer: A. Session fixation by pre-setting the token in a URL.
Session fixation succeeds because the attacker can pre-set the session ID in the URL since it's not regenerated.
Q23. In her role as a cybersecurity analyst for an established technology firm, Maria is assigned a crucial task. She's instructed to perform a thorough passive reconnaissance of a major competitor's online environment to understand their digit…
Answer: D. Running an intensive port scan against the competitor's public IP addresses to gain information on their internal network and server structure.
Port scanning is active and intrusive, risking detection and legal issues, unlike passive reconnaissance methods.
Q24. An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest? Correct answer
Answer: A. No client from the DNS server's network has recently accessed the domain.
The NOERROR response with no answer indicates the DNS server's cache lacks recent entries for the domain, meaning no clients from its network have accessed it recently.
Q25. You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email (…
Answer: D. Social engineering
The attacker used social engineering by impersonating a boss to manipulate the receptionist into opening malicious links and executing malware.
Q26. A red team simulation reveals a malware strain that adapts its behavior based on observed user activity and evades detection by altering its code dynamically. The malware exfiltrates data only when the system is idle and uses encrypted cha…
Answer: D. AI-powered malware using machine learning to tailor its execution.
The malware's adaptive behavior and evasion techniques suggest it uses machine learning to optimize its execution based on user activity.
Q27. A malware analyst is tasked with evaluating a suspicious PDF file suspected of launching attacks through embedded JavaScript. Initial scans using pdfid show the presence of JavaScript and /OpenAction keywords. What should the analyst do ne…
Answer: A. Extract and analyze stream objects using PDFStreamDumper.
Extracting stream objects with PDFStreamDumper reveals hidden malicious scripts and embedded content to assess the PDF's attack potential.
Q28. A large media-streaming company begins receiving complaints from users that their web application is timing out or failing to load. The security team observes that the web server is overwhelmed with a high number of open HTTP connections…
Answer: C. The attacker uses a Slowloris attack to keep many open connections alive, slowly exhausting the server's connection pool.
A Slowloris attack keeps connections open slowly, exhausting the server's resources, which matches the described symptoms.
Q29. Your role as a network administrator in a mid-sized company involves protecting the company's web servers from potential security threats. Recently, your company's web server experienced a Distributed Denial of Service (DDoS) attack. In ex…
Answer: A. HTTP flood attack
An HTTP flood attack targets the application layer by overwhelming the web server with HTTP requests.
Q30. During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outboundHTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
Answer: C. Application
The answer is correct because an application firewall inspects the content of traffic, like distinguishing IRC from HTTP. The provided explanation is cut off.
More CEH drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.