Certified Ethical Hacker v12 – Practice Test Questions

In the ever-evolving landscape of cybersecurity, the role of Certified Ethical Hackers (CEH) has become increasingly crucial. These professionals are tasked with identifying and exploiting vulnerabilities in computer systems, networks, and applications, all with the goal of fortifying digital defenses against malicious hackers.

Achieving the CEH certification requires a deep understanding of various hacking techniques, tools, and methodologies. One effective way to prepare for the CEH exam is through practice test questions, which simulate real-world scenarios and assess your knowledge and skills.

Equip yourself with the knowledge to recognize and counteract Denial of Service (DoS) attacks. This set explores both classic and modern DoS techniques, providing a comprehensive understanding of mitigating these threats.

1Q: Your company has developed publicly hosted web apps and uses an internal Intranet protected by firewall. Which of the below techniques would provide some protection against enumeration?

a. Reject all email received via POP3.
b. Remove “A records” for internal hosts.
c. Allow full DNS zone transfers to non-authoritative servers
d. Enable null session pipes

Solution: The correct answer is B.

2Q: Alex, an Ethical Hacker, has responsibility to test the security of his company’s website. First, he performs an SNMP scanner, snmpbulkwalk, to send SNMP requests to several IP addresses. Though he attempts multiple community strings, he gets no response. Which of the below options could be a cause for this situation? (Select more than one answer if applicable.)

a. The target system is using SNMP version 2, which cannot be scanned by snmpbulkwalk.
b. The target system has halted SNMP services.
c. Alex was searching for the Public and Private community strings, but the company’s previous team had altered the default names.
d. The target system is unreachable due to low Internet connectivity.

Solution: The correct answers are B, C, and D.

3Q: Which of the following techniques will perform a Connection Stream Parameter Pollution (CSPP) attack?

a. Adding a single quote after a URP with no resolving quote.
b. Inserting malicious JavaScript code into the input parameters.
c. Adding several parameters with the same name in HTTP requests.
d. Injecting parameters into the connection string—use semicolons as a separator.

Solution: The correct answer is D.

4Q: Which of the following statements are true about SNMPv1 and SNMPv3 enumeration? (Select more than one answer if applicable.)

a. Every version of SNMP protocols uses community strings in a clear text format, and is therefore easily recognizable.
b. Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol used to monitor and manage hosts, routers, and other devices within a network.
c. SNMP enumeration involves gathering information about host, routers, devices etc. with the help of SNMP.
d. Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets can be an effective countermeasure against unauthorized SNMP enumeration.

Solution: Answers B, C, and D are correct.

5Q: Which of the below are the default passwords for SNMP? (Select more than one answer if applicable.)

a. Administrator
b. Password
c. Public
d. Private

Solution: The correct answers are C and D.

6Q: What version of SNMP will not send passwords and messages in clear text format?

a. SNMPv3
b. SNMPv1
c. SNMPv2c
d. SNMPv2

Solution: The correct answer is A.

7Q: The IP Network Browser will scan a specific IP subnet and displays the devices that are actively responding on that subnet. It will then query the devices that responded through SNMP. Which of the below ports would be used by IP Network Browser to scan devices with SNMP enabled?

a. 22
b. 161
c. 21
d. 80

Solution: The correct answer is B.

8Q: Which of the below choices would be effective countermeasures against SNMP enumeration? (Select more than one answer if applicable.)

a. Disabling the SNMP service or simply removing the SNMP agent.
b. Where disabling SNMP is not possible, changing the default PUBLIC community name to something else.
c. Enable the Group Policy security setting, “Additional restrictions for anonymous connections.”
d. Allowing reasonable or even unrestricted access to NULL session pipes and shares.

Solution: The correct answers are A, B, and C.

9Q: Because SNMP is not generally audited it can pose a significant threat, particularly if it has not been configured properly. Attackers are likely aware that SNMP can be used for account and device enumeration. SNMP has two passwords to access and adjust the configuration of the SNMP agent from a management station: the read-only community string and the read-write community string. Which of the below tools/utilities would be useful for SNMP enumeration?

a. SNMPEnum
b. SNMP Agent
c. SNMP Util
d. SNMP Manager

Solution: The correct answer is C.

10Q: This web application from Open Web Application Security Project (OWASP) has well-known vulnerabilities (this app was deliberately developed as a way to teach ethical hackers how such vulnerabilities could be exploited).

a. BackTrack
b. WebVuln
c. Hackme
d. WebGoat

Solution: The correct answer is D.

11Q: Which of the following best dictates if certain behaviors are allowed on a system or server?

a. Data Loss Prevention Policy
b. Acceptable Use Policy
c. Network Firewall
d. Information Security Policy

Solution: The correct answer is D.

12Q: What risk could be posed by having an open port 25 on a server?

a. Unrestricted sharing of printers
b. Active mail relay
c. Clear text authentication could easily be faked.
d. Web portal data leak

Solution: The correct answer is B.

13Q: In an asymmetric encryption scheme, any user may create an encrypted message, but only an administrator with a private key can decrypt messages. Which of the below are examples of asymmetric encryption, a scheme in which any user could encrypt messages through a public key? (Choose 2.)

a. PGP (Pretty Good Privacy)
b. 3DES, or Triple DES
c. RSA, an algorithm for public-key cryptology
d. SHA1, or secure hash algorithm (designed by the U.S. National Security Agency)

Solution: The correct answers are A and C.

14Q: Mike is working as a Network Security Professional. His project is testing the security of his company’s website. He determines that the company has blocked all ports except port 80. Which of the below attacks could he use to send insecure software protocols?

a. URL obfuscation
b. Banner grabbing
c. HTTP tunneling
d. MAC spoofing

Solution: The correct answer is C.

15Q: What is the Advanced Encryption Standard (AES) is primarily used for?

a. Key exchange
b. Bulk data encryption
c. Key creation
d. IPSec

Solution: The correct answer is B.

16Q: Which of the below password-cracking tools will work within the UNIX or Linux environment?

a. Brutus
b. Cain and Abel
c. John the Ripper
d. Ophcrack

Solution: The correct answer is C.

17Q: Which of the below hacking assaults allow you to bypass an access control list on servers or routers, helping you to mask your presence? Each correct answer represents a complete solution. Choose two.

a. DNS cache poisoning attack
b. DDoS attack
c. MAC spoofing attack
d. IP spoofing attack

Solution: Answers C and D are correct.

18Q: Which of the below assertions are accurate with regard to session hijacking? (Select more than one answer if applicable.)

a. It involves the exploiting of a valid computer session, or a session key, to gain unauthorized access to information and/or services in a target system.
b. To accomplish TCP session hijacking, a hacker will take control of a TCP session between two machines.
c. It can be accomplished through IP spoofing and is possible because authentication usually occurs only at the start of a TCP session.
d. It is used to slow down the functioning of network resources within a target system.

Solution: The correct answers are A, B, and C.

19Q: How does an operating system protect login passwords?

a. It stores all passwords in a protected segment using non-volatile memory.
b. It encrypts the passwords using an encoder, and decrypts them as necessary.
c. It stores all passwords within a secret file that is hidden from its users.
d. It performs a one-way hash of the passwords.

Solution: The correct answer is D.

20Q: In which of the below attacks will an attacker use packet sniffing to access and analyze network traffic between two parties, thereby stealing the session cookie?

a. Session sidejacking
b. Session fixation
c. Cross-site scripting
d. ARP spoofing

Solution: The correct answer is A.

21Q: Which of the below statements is not true about firewalking? (Select more than one answer if applicable.)

a. It can be useful in discovering the types of ports or protocols capable of bypassing a specific firewall.
b. In order to perform firewalking, an attacker must have an address accepted as secure by the firewall as well as one that is not accepted by the firewall.
c. Firewalking works on UDP packets.
d. In this technique, the attacker will transmit a crafted packet with a TTL (time-to-live) value that will expire after one hop past the firewall.

Solution: The correct answer is C.

22Q: Mandy wants to prove her identity to Mike. Mike asks Mandy to provide him with her password, which Mandy dutifully provides (possibly after some transformation with a hash function). During this time, woman named Eve observes the conversation between Mike and Mandy and records the password. Later, Eve connects to Mike posing as Mandy, providing the password read from the previous session. Bob accepts it, unaware that Eve is not Mandy . What kind of attack does this describe?

a. Replay
b. Session fixation
c. Cross-site scripting
d. Firewalking

Solution: The correct answer is A.

23Q: Which of the below commands can be used to scan ports?

a. nc -z
b. nc -g
c. nc -t
d. nc -w

Solution: The correct answer is A.

24Q: Mike is a Security Administrator. To access his laptop, he only needs to enter a 4-digit personal identification number (PIN). He also set a token to perform offline checking whether he has input the right PIN. Which of the below attacks is a foreseeable result of Scott’s folly?

a. Brute force
b. Replay
c. Smurf
d. Man-in-the-middle

Solution: The correct answer is A.

You may also like: