Certified Ethical Hacker (CEH) Practice Exam
The Certified Ethical Hacker (CEH) exam is a globally recognized certification that validates an individual’s expertise in ethical hacking, penetration testing, and cybersecurity defense strategies. The exam covers various domains, including footprinting and reconnaissance, scanning networks, enumeration, system hacking, malware threats, sniffing, social engineering, denial-of-service attacks, session hijacking, web application security, cryptography, cloud security, mobile security, and IoT security.
One of the most critical areas of the CEH exam is zero-day exploits, which focus on vulnerabilities that have no existing patch, making them highly valuable to both ethical hackers and cybercriminals. Additionally, advanced evasion techniques such as polymorphic malware, sandbox detection, and DNS tunneling are tested, highlighting how attackers bypass security controls. Mobile security also plays a crucial role, covering threats like SIM swap attacks, app repackaging, and mobile malware.
The CEH certification equips professionals with hands-on experience in using industry-standard tools like Metasploit, Nmap, Wireshark, John the Ripper, and Burp Suite. Candidates must demonstrate knowledge of penetration testing methodologies, ethical hacking frameworks, and countermeasures against sophisticated cyber threats. The exam ensures that cybersecurity professionals can effectively think like hackers to secure modern IT environments.
Sample Questions and Answers
What is the primary goal of ethical hacking?
A) To exploit vulnerabilities for financial gain
B) To identify and fix security weaknesses
C) To launch cyberattacks on organizations
D) To create new hacking tools
Answer: B) To identify and fix security weaknesses
Explanation: Ethical hacking involves simulating cyberattacks to uncover and address security vulnerabilities before malicious hackers exploit them.
Which of the following is NOT a phase in the ethical hacking process?
A) Reconnaissance
B) Exploitation
C) Scanning
D) Reporting
Answer: B) Exploitation
Explanation: Ethical hackers do not exploit vulnerabilities for malicious purposes; they focus on identifying and documenting them for remediation.
What is passive reconnaissance?
A) Gathering information about a target without direct interaction
B) Actively probing a network for vulnerabilities
C) Deploying malware on a target system
D) Conducting penetration tests on an organization
Answer: A) Gathering information about a target without direct interaction
Explanation: Passive reconnaissance involves collecting publicly available information about a target without alerting them, such as analyzing websites and social media.
Which tool is commonly used for footprinting a website?
A) Metasploit
B) WHOIS
C) Nmap
D) Nessus
Answer: B) WHOIS
Explanation: WHOIS allows ethical hackers to retrieve domain registration details, such as the owner, contact information, and DNS servers.
What is the purpose of a port scan?
A) To test website performance
B) To identify open ports and services running on a target system
C) To encrypt network traffic
D) To detect physical network issues
Answer: B) To identify open ports and services running on a target system
Explanation: Port scanning helps ethical hackers determine which services are exposed on a system, which may indicate potential vulnerabilities.
Which scanning technique involves sending SYN packets without completing the handshake?
A) UDP Scan
B) XMAS Scan
C) SYN Scan
D) FIN Scan
Answer: C) SYN Scan
Explanation: SYN scanning, also called half-open scanning, sends SYN packets to detect open ports without completing the TCP handshake.
Which protocol is commonly targeted during enumeration?
A) HTTP
B) FTP
C) SNMP
D) ARP
Answer: C) SNMP
Explanation: SNMP (Simple Network Management Protocol) is used for network device management and can reveal sensitive information if misconfigured.
What is NetBIOS enumeration used for?
A) To scan open ports
B) To retrieve usernames, shares, and workgroup information
C) To bypass firewalls
D) To encrypt network traffic
Answer: B) To retrieve usernames, shares, and workgroup information
Explanation: NetBIOS enumeration allows attackers to gather details about network resources, making it a common target for hackers.
What is the primary purpose of privilege escalation?
A) To gain unauthorized administrative access
B) To disable security software
C) To log user keystrokes
D) To install backdoors
Answer: A) To gain unauthorized administrative access
Explanation: Privilege escalation allows attackers to increase their access rights, potentially giving them full control over a compromised system.
Which tool is commonly used for password cracking?
A) Wireshark
B) John the Ripper
C) Nikto
D) Burp Suite
Answer: B) John the Ripper
Explanation: John the Ripper is an open-source password-cracking tool that uses dictionary and brute-force attacks.
What is the main characteristic of a rootkit?
A) It automatically replicates across networks
B) It hides malicious activities from the operating system
C) It encrypts files and demands ransom
D) It creates pop-up advertisements
Answer: B) It hides malicious activities from the operating system
Explanation: Rootkits modify system processes to conceal malicious activities and maintain persistent access.
What is ARP poisoning used for?
A) To encrypt network traffic
B) To intercept communication between devices on a LAN
C) To scan for open ports
D) To conduct brute-force attacks
Answer: B) To intercept communication between devices on a LAN
Explanation: ARP poisoning manipulates the Address Resolution Protocol (ARP) to redirect network traffic through an attacker’s system.
What is the primary objective of phishing?
A) To exploit web application vulnerabilities
B) To deceive users into providing sensitive information
C) To scan for network vulnerabilities
D) To perform a DoS attack
Answer: B) To deceive users into providing sensitive information
Explanation: Phishing attacks use fraudulent emails or websites to trick users into revealing credentials or financial details.
What is SQL injection?
A) An attack that overflows memory buffers
B) A method of injecting malicious SQL queries into database-driven applications
C) A technique for scanning networks
D) A form of brute-force attack
Answer: B) A method of injecting malicious SQL queries into database-driven applications
Explanation: SQL injection manipulates input fields to execute unauthorized database commands, potentially exposing sensitive data.
What type of encryption does WPA2 use?
A) DES
B) AES
C) RSA
D) MD5
Answer: B) AES
Explanation: WPA2 uses AES (Advanced Encryption Standard) for strong wireless security encryption.
What is the primary purpose of a VPN?
A) To bypass firewalls
B) To securely encrypt network traffic over public networks
C) To provide free internet access
D) To increase network speed
Answer: B) To securely encrypt network traffic over public networks
Explanation: VPNs create encrypted tunnels to protect data from eavesdropping on insecure networks.
Which of the following tools is used to extract metadata from files and images?
A) Nmap
B) FOCA
C) Aircrack-ng
D) Metasploit
Answer: B) FOCA
Explanation: FOCA (Fingerprinting Organizations with Collected Archives) extracts metadata from documents, revealing sensitive information like usernames, file paths, and software versions.
What type of DNS record is used to identify mail servers?
A) A Record
B) CNAME Record
C) MX Record
D) TXT Record
Answer: C) MX Record
Explanation: Mail Exchange (MX) records specify mail servers for a domain, which can be targeted in reconnaissance for email spoofing or phishing attacks.
Which of the following is a stealthy scanning technique that evades IDS detection?
A) Full Connect Scan
B) SYN Scan
C) Null Scan
D) Ping Sweep
Answer: C) Null Scan
Explanation: Null scans send packets with no TCP flags set, helping evade detection systems while checking for open ports.
What does the “O” flag in an Nmap scan indicate?
A) Open port
B) OS detection
C) Overloaded server
D) Outbound connection
Answer: B) OS detection
Explanation: The -O option in Nmap enables OS fingerprinting to determine the target system’s operating system.
What command is used to enumerate shared network resources on a Windows system?
A) net use
B) net view
C) tracert
D) ping -t
Answer: B) net view
Explanation: The net view command lists shared resources, helping attackers identify accessible network shares.
What is an effective countermeasure against SNMP enumeration?
A) Disabling ICMP responses
B) Using complex community strings
C) Blocking TCP port 80
D) Implementing DNSSEC
Answer: B) Using complex community strings
Explanation: SNMP enumeration exploits weak community strings. Using strong, unique strings reduces the risk of unauthorized access.
What is a key characteristic of a rainbow table attack?
A) It uses precomputed password hashes
B) It exploits SQL vulnerabilities
C) It requires brute-force attempts
D) It encrypts files for ransom
Answer: A) It uses precomputed password hashes
Explanation: Rainbow table attacks use precomputed hash values to quickly crack passwords, reducing computation time.
Which file in Windows stores hashed user passwords?
A) /etc/passwd
B) shadow
C) SAM
D) config.sys
Answer: C) SAM
Explanation: The Security Accounts Manager (SAM) file in Windows stores password hashes and is a target for privilege escalation attacks.
What is polymorphic malware?
A) Malware that spreads across networks
B) Malware that changes its code to avoid detection
C) Malware that exploits browser vulnerabilities
D) Malware that installs rootkits
Answer: B) Malware that changes its code to avoid detection
Explanation: Polymorphic malware frequently alters its signature, making it harder for antivirus software to detect.
What is a botnet?
A) A single malware-infected machine
B) A network of compromised computers controlled remotely
C) A type of phishing attack
D) A firewall bypass technique
Answer: B) A network of compromised computers controlled remotely
Explanation: Botnets consist of multiple infected devices controlled by attackers to perform DDoS attacks, spamming, or credential theft.
What is the primary defense against ARP poisoning attacks?
A) Using MAC address filtering
B) Implementing ARP spoofing
C) Enabling static ARP entries
D) Disabling SNMP
Answer: C) Enabling static ARP entries
Explanation: ARP poisoning attacks manipulate ARP tables, and using static ARP entries prevents unauthorized changes.
Which tool is commonly used for network packet sniffing?
A) Nikto
B) Wireshark
C) Aircrack-ng
D) Hydra
Answer: B) Wireshark
Explanation: Wireshark captures and analyzes network packets, making it a key tool for network security analysis.
What is a common sign of a phishing attack?
A) Emails from trusted senders
B) URLs with misspellings or extra characters
C) Secure HTTPS websites
D) Software updates from official sources
Answer: B) URLs with misspellings or extra characters
Explanation: Phishing attacks often use slightly altered URLs to deceive users into entering credentials on fake websites.
Which vulnerability allows attackers to execute unauthorized database commands?
A) Cross-Site Scripting (XSS)
B) SQL Injection
C) Clickjacking
D) Buffer Overflow
Answer: B) SQL Injection
Explanation: SQL injection exploits input fields to inject malicious SQL queries, potentially compromising database integrity.
What is a primary method to prevent XSS attacks?
A) Encrypting network traffic
B) Validating and sanitizing user input
C) Disabling cookies
D) Blocking TCP port 443
Answer: B) Validating and sanitizing user input
Explanation: XSS attacks inject malicious scripts into web pages. Input validation and sanitization prevent execution of harmful code.
What encryption algorithm does WPA3 use?
A) TKIP
B) AES-CCMP
C) SAE
D) DES
Answer: C) SAE
Explanation: WPA3 uses Simultaneous Authentication of Equals (SAE) for stronger wireless authentication and protection against brute-force attacks.
What is the main purpose of a digital certificate?
A) To store encrypted files
B) To verify the authenticity of websites and entities
C) To provide firewall protection
D) To enhance brute-force attack efficiency
Answer: B) To verify the authenticity of websites and entities
Explanation: Digital certificates authenticate users and websites by validating their identity using Public Key Infrastructure (PKI).