Future Skills Fiesta:
 Get up to 30% OFF on Career Booster Combos
AVAIL NOW
D H M S

CEH Exam Practice Questions and Answers Part -1

Author by: Pooja Rawat
Apr 8, 2025 976

Think you have what it takes to become an Ethical Hacker? Think again! The Certified Ethical Hacker (CEH) exam is not just another cybersecurity certification; it’s a rigorous test that challenges even the most seasoned professionals. With 125 complex multiple-choice questions covering 20 in-depth modules, this exam is designed to push your limits in ethical hacking techniques, reconnaissance, vulnerability exploitation, cloud computing, and more.

CEH Exam Practice Questions and Answers Part -1

But here’s the real challenge: not all topics carry the same weightage. Some modules, like System Hacking and Reconnaissance, demand in-depth knowledge. However, others focus on cloud security, IoT vulnerabilities, and mobile threats, making it crucial to strategize your study plan wisely.

That’s exactly why we’ve compiled this guide, a handpicked selection of the top CEH exam practice questions crafted to reinforce key concepts and enhance your exam readiness. Each question is designed to mimic real exam scenarios, providing detailed explanations and quick memory hacks to reinforce your learning.

So, are you ready to test your skills and see if you can think like a hacker? Let’s dive in!

Top CEH Exam Practice Questions and Answers

1. Mr. Omkar conducted a tool-based vulnerability assessment and detected two vulnerabilities. However, upon further analysis, he realized that these were not actual vulnerabilities. What would these issues be classified as?

A) False positives
B) True negatives
C) True positives
D) False negatives

Answer: A) False positives

Explanation: A false positive occurs when a security tool incorrectly identifies a vulnerability that does not actually exist. In this case, Mr. Omkar’s assessment tool flagged two vulnerabilities, but his further investigation confirmed that they were not real threats. Therefore, these issues are classified as false positives.

Study Tip:

  • False Positives: Think of a fire alarm going off, but there’s no actual fire.
  • False Negatives: A real fire happens, but the alarm doesn’t ring.
  • True Positives: A real fire happens, and the alarm correctly detects it.
  • True Negatives: No fire and the alarm remains silent.

2. An attacker scans vulnerable machines to create a list of targets. After infecting the machines, the list is divided, with half assigned to newly compromised machines. The scanning continues simultaneously, allowing the malware to spread quickly. What is this technique called?

A) Subnet scanning technique
B) Hit-list scanning technique
C) Permutation scanning technique
D) Topological scanning technique

Answer: B) Hit-list scanning technique

Explanation: The hit-list scanning technique is a method used in botnet propagation where attackers first compile a list of vulnerable machines. Initially, they infect a few machines, then divide and distribute the list among newly compromised machines. This parallel scanning approach ensures rapid and widespread infection.

Study Tip:

  • Subnet Scanning: Scans a specific network range.
  • Hit-List Scanning: Divides the target list for faster infection.
  • Permutation Scanning: Uses a shared list with a fixed order.
  • Topological Scanning: Uses infected machine’s network knowledge to spread.

3. What type of attack involves injecting ‘Carriage Return’ and ‘Line Feed’ characters to manipulate HTTP headers?

A) Server-Side JS Injection
B) Log Injection
C) CRLF Injection
D) HTML Injection

Answer: C) CRLF Injection

Explanation: CRLF Injection exploits vulnerabilities by inserting special CRLF characters in HTTP headers, leading to security issues like response splitting and header manipulation.

Study Tip: “CRLF = Carriage Return, Line Feed = Code Rewrite Loophole and Flaws”—Headers can be exploited when improperly sanitized!

4. Which wireless standard has a bandwidth of up to 54 Mbps and operates in the regulated 5 GHz spectrum?

A) 802.11i
B) 802.11n
C) 802.11a
D) 802.11g

Answer: C) 802.11a

Explanation: 802.11a operates in the 5 GHz band with a maximum data rate of 54 Mbps. It offers better performance in less congested frequency bands compared to 2.4 GHz networks.

Study Tip: “Wi-Fi ABCs”—A = 5GHz (fast), B = 2.4GHz (slow), G = 2.4GHz (better), N = both bands (best pre-Wi-Fi 6). Next time you configure a router, check which frequencies are in use!

5. Which Nmap flag enables a stealth scan to reduce IDS detection?

A) -sT
B) -sS
C) -sM
D) -sU

Answer: B) -sS

Explanation: The SYN scan (-sS) is considered stealthy because it never completes the TCP handshake, making it harder for IDS systems to detect.

Study Tip: “S for Stealth, S for SYN”—Use -sS for scanning without detection.

6. Taylor, a security professional, uses a tool to monitor her company’s website, analyze website traffic, and track the geographical location of visitors. Which tool is used in this scenario?

A) Webroot
B) Web-Stat
C) WebSite-Watcher
D) WAFW00F

Answer: B) Web-Stat

Explanation: Web-Stat is a website analytics tool that tracks visitor data, including traffic sources, geographical locations, and user behavior. It provides real-time insights to help businesses monitor website performance and security.

Study Tip:

  • Webroot: Cybersecurity and antivirus.
  • Web-Stat: Website traffic analytics.
  • WebSite-Watcher: Web page change detection.
  • WAFW00F: Web Application Firewall detection.

7. A DDoS attack targets layer 7 by sending partial HTTP requests to a web server. The server keeps multiple connections open, waiting for the requests to complete, leading to resource exhaustion. Which attack is being described?

A) Session splicing
B) Desynchronization
C) Phlashing
D) Slowloris attack

Answer: D) Slowloris attack

Explanation: The Slowloris attack is a type of layer 7 DDoS attack that sends incomplete HTTP requests to a web server. The server keeps multiple connections open, waiting for the rest of the requests, which eventually exhausts its resources and causes a denial of service.

Study Tip:

  • Session Splicing: Splits payload across multiple packets to evade detection.
  • Desynchronization: Exploits TCP stream misalignment.
  • Phlashing: Permanent DoS by damaging hardware.
  • Slowloris: Sends partial HTTP requests to exhaust connections.

8. Gilbert, a Web Developer, uses a centralized web API to simplify data management and ensure integrity. The API utilizes HTTP methods like PUT, POST, GET, and DELETE, improving performance, scalability, reliability, and portability. What type of web-service API is being used?

A) SOAP API
B) JSON-RPC
C) RESTful API
D) REST API

Answer: C) RESTful API

Explanation: A RESTful API follows the principles of Representational State Transfer (REST) and uses standard HTTP methods for communication. It enhances application performance, scalability, and portability by allowing efficient client-server interactions.

Study Tip:

  • SOAP API: Uses XML, follows strict structure.
  • JSON-RPC: Lightweight, remote procedure calls.
  • REST API: General term for REST-based APIs.
  • RESTful API: Fully follows REST principles, uses HTTP methods.

9. Which firewall evasion scanning technique uses a zombie system with low network activity and fragment identification numbers?

A) Decoy scanning
B) Idle scanning
C) Packet fragmentation scanning
D) Spoof source address scanning

Answer: B) Idle scanning

Explanation: Idle scanning is a stealthy scanning technique that uses a “zombie” host with low network activity. By analyzing the fragment identification numbers of the zombie, an attacker can map open ports on the target without revealing their own IP address.

Study Tip:

  • Decoy Scanning: Uses multiple fake IPs to hide the attacker’s real IP.
  • Idle Scanning: Uses a silent zombie system for stealth scanning.
  • Packet Fragmentation Scanning: Splits packets to bypass firewalls.
  • Spoof Source Address Scanning: Fakes the source IP to avoid detection.

10. Ethical Hacker Jane Smith is performing an SQL injection attack. She wants to test response times to determine true or false conditions and use a second command to verify if the database returns true or false results for user IDs. Which two SQL injection types would help her achieve this?

A) Out-of-band and boolean-based
B) Time-based and union-based
C) Time-based and boolean-based
D) Union-based and error-based

Answer: C) Time-based and boolean-based

Explanation:

  • Time-based SQL injection relies on delaying responses to determine if a query is true or false based on the response time.
  • Boolean-based SQL injection extracts data by analyzing how the application reacts differently to true or false queries.

Study Tip:

  • Out-of-band: Uses external communication (DNS, HTTP).
  • Time-based: Delays response to infer results.
  • Boolean-based: True/false response determines database behavior.
  • Union-based: Uses UNION to fetch data from other tables.
  • Error-based: Extracts data using error messages.

11. Which protocol can be used to secure an LDAP service against anonymous queries?

A) NTLM
B) RADIUS
C) SSO
D) WPA

Answer: A) NTLM

Explanation: NTLM (NT LAN Manager) is an authentication protocol that secures LDAP services by requiring user authentication, preventing unauthorized anonymous queries. It provides challenge-response authentication to verify user identity before granting access to LDAP resources.

Study Tip:

  • NTLM: Secures LDAP authentication.
  • RADIUS: Centralized authentication for network access.
  • SSO: Allows single login for multiple services.
  • WPA: Secures wireless networks, not LDAP.

12. Alice, a professional hacker, targeted an organization’s cloud services by infiltrating its MSP provider through spear-phishing. She distributed malware, gained remote access, and used the MSP account to access customer profiles. She then extracted and stored customer data to launch further attacks on the target organization. What type of cloud attack did she perform?

A) Cloudborne attack
B) Cloud cryptojacking
C) Man-in-the-cloud (MITC) attack
D) Cloud hopper attack)

Answer: D) Cloud hopper attack

Explanation: A Cloud Hopper attack targets managed service providers (MSPs) to gain access to their clients’ cloud services. Attackers use phishing and malware to compromise the MSP, then pivot to infiltrate customer networks, stealing sensitive data and launching further attacks.

Study Tip:

  • Cloudborne attack: Targets cloud hardware vulnerabilities.
  • Cloud cryptojacking: Uses cloud resources for cryptocurrency mining.
  • Man-in-the-cloud (MITC) attack: Hijacks cloud synchronization tokens.
  • Cloud hopper attack: Infiltrates MSPs to access customer networks.

13. Which file is a valuable target for discovering a website’s structure during web-server footprinting?

A) domain.txt
B) Document root
C) index.html
D) Robots.txt

Answer: D) Robots.txt

Explanation: The Robots.txt file provides search engine crawlers with instructions on which parts of a website should not be indexed. However, attackers can analyze this file to identify restricted directories, hidden pages, and website structure, making it a key target during web server footprinting.

Study Tip:

  • txt: Not a standard web structure file.
  • Document root: Stores website files, but not directly accessible.
  • html: Default homepage, reveals minimal site structure.
  • txt: Lists restricted areas, useful for footprinting.

14. Henry, a Cybersecurity Specialist at BlackEye – Cyber Security Solutions, was tasked with identifying the operating system of a host. Using the Unicornscan tool, he obtained a TTL value that indicates the system is running Windows OS. What TTL value did he obtain?

A) 138
B) 128
C) 255
D) 64

Answer: B) 128

Explanation: Windows operating systems typically use a default TTL value of 128. When a packet is sent, this value decreases with each hop. By analyzing the TTL value in responses, cybersecurity specialists can determine the target OS.

Study Tip:

  • Windows: TTL 128
  • Linux/macOS: TTL 64
  • Network devices (Cisco, etc.): TTL 255
  • TTL decreases by 1 per hop in network routing.

15. Kevin, a professional hacker, is attempting to penetrate CyberTech Inc.’s network. He encoded packets with Unicode characters so that the company’s IDS could not recognize them, but the target web server could decode them. What technique did he use to evade the IDS system?

A) Desynchronization
B) Urgency flag
C) Obfuscating
D) Session splicing

Answer: C) Obfuscating

Explanation: Obfuscating is a technique where attackers encode or manipulate data (e.g., using Unicode characters) to bypass security detection systems like IDS. The IDS fails to recognize the encoded packets, but the target web server deciphers them, allowing the attack to proceed unnoticed.

Study Tip:

  • Desynchronization: Alters TCP sequence numbers to confuse IDS.
  • Urgency flag: Manipulates TCP Urgent Pointer for evasion.
  • Obfuscating: Encodes data to bypass detection.
  • Session splicing: Splits attack payload across multiple packets.
  • Polymorphic encoding: Modifies malware code to evade signature-based detection.

16. John wants to send Marie an email containing sensitive information but does not trust the network. Marie suggests using PGP encryption. What should John do to communicate using this encryption method securely?

A) Use his own private key to encrypt the message.
B) Use Marie’s public key to encrypt the message.
C) Use Marie’s private key to encrypt the message.
D) Use his own public key to encrypt the message.

Answer: B) Use Marie’s public key to encrypt the message.

Explanation: In PGP (Pretty Good Privacy) encryption, the sender encrypts the message using the recipient’s public key. The recipient then decrypts it using their private key, ensuring that only they can read the message. This provides confidentiality and security over untrusted networks.

Study Tip:

  • Encrypt with recipient’s public key: Only they can decrypt it.
  • Decrypt with private key: Only the key owner can read the message.
  • Private key is never shared: Kept secure for decryption.
  • Public key is shared: Used for encryption by senders.

17. Which phase of ethical hacking involves gathering information about a target without directly engaging with it?

A) Scanning
B) Gaining Access
C) Reconnaissance
D) Maintaining Access

Answer: C) Reconnaissance

Explanation: Reconnaissance (also known as footprinting) is the first phase of hacking, where attackers gather information about a target without directly engaging with it, often using public sources.

Study Tip: “Recon = Research”—Before hacking, attackers research their target. Always assume information is publicly available and minimize digital footprints!

18. Joe turns on his home computer to access his online banking account. When he enters www.bank.com, the website appears but prompts him to re-enter his credentials as if he had never visited before. Upon closer inspection, he notices that the site is not secure, and the URL looks different. What type of attack is Joe experiencing?

A) ARP cache poisoning
B) DHCP spoofing
C) DoS attack
D) DNS hijacking

Answer: D) DNS hijacking

Explanation: DNS hijacking occurs when an attacker manipulates DNS settings to redirect users to a fraudulent website. In this case, Joe’s request to access www.bank.com was redirected to a malicious site that mimics the legitimate banking website, attempting to steal his credentials.

Study Tip:

  • ARP cache poisoning: Alters MAC-to-IP mapping for network interception.
  • DHCP spoofing: Attacker provides fake IP configurations to users.
  • DoS attack: Overloads a system to disrupt services.
  • DNS hijacking: Redirects users to fake websites by altering DNS records.

19. Attacker Rony installed a rogue access point within an organization’s perimeter to infiltrate its internal network. Johnson, a security auditor, detected unusual traffic targeting the authentication mechanism. He immediately turned off the network and tested for weak and outdated security mechanisms vulnerable to attack. What type of vulnerability assessment did Johnson perform?

A) Application assessment
B) Host-based assessment
C) Distributed assessment
D) Wireless network assessment

Answer: D) Wireless network assessment

Explanation: A wireless network assessment evaluates the security of Wi-Fi networks, access points, and authentication mechanisms. Since the attacker used a rogue access point to infiltrate the network, Johnson focused on identifying weaknesses in wireless security protocols, making this a wireless network assessment.

Study Tip:

  • Application assessment: Tests software for vulnerabilities.
  • Host-based assessment: Evaluates the security of individual devices.
  • Distributed assessment: Uses multiple tools across networks.
  • Wireless network assessment: Identifies security flaws in Wi-Fi and access points.

20. Annie, a Cloud Security Engineer, is using the Docker architecture to implement a client/server model in her application. She works with a component that processes API requests and manages various Docker objects, such as containers, volumes, images, and networks. Which Docker component is she using?

A) Docker client
B) Docker registries
C) Docker daemon
D) Docker objects

Answer: C) Docker daemon

Explanation: The docker daemon (dockerd) is responsible for processing API requests and managing Docker objects like containers, volumes, images, and networks. It runs in the background and interacts with the Docker client to execute commands and manage containerized applications.

Study Tip:

  • Docker client: Sends commands to the Docker daemon.
  • Docker registries: Store and distribute Docker images.
  • Docker daemon: Processes API requests and manages Docker objects.
  • Docker objects: Include containers, images, networks, and volumes.

21. SQL injection (SQLi) attacks attempt to inject SQL syntax into web requests, potentially bypassing authentication and allowing attackers to access or modify data in the database. Which type of SQLi attack exploits a database server’s ability to make DNS requests to exfiltrate data to an attacker?

A) Out-of-band SQLi
B) In-band SQLi
C) Union-based SQLi
D) Time-based blind SQLi

Answer: A) Out-of-band SQLi

Explanation: Out-of-band SQLi leverages a database server’s ability to make external requests, such as DNS or HTTP queries, to send stolen data to an attacker. It is used when traditional in-band techniques like Union-based or error-based SQLi are not effective due to security restrictions or limited response visibility.

Study Tip:

  • Out-of-band SQLi: Uses DNS/HTTP requests for data exfiltration.
  • In-band SQLi: Retrieves data in the same communication channel.
  • Union-based SQLi: Uses UNION statements to extract data.
  • Time-based blind SQLi: Uses SQL delays to infer data existence.

22. Emily, an extrovert active on social media, frequently posts private information, photos, and location tags of places she visits. Noticing this, James, a professional hacker, targets Emily and her acquaintances. He uses an automated tool to conduct a location search, detect their geolocation, and gather information for more sophisticated attacks. Which tool did James use?

A) HULK
B) Hootsuite
C) VisualRoute
D) ophcrack

Answer: C) VisualRoute

Explanation: VisualRoute is a geolocation and network diagnostic tool that helps track IP addresses, domains, and server locations. Attackers can use it to analyze the geolocation of social media users based on their shared data, aiding in reconnaissance for further attacks.

Study Tip:

  • HULK: DDoS attack tool to flood web servers.
  • Hootsuite: Social media management, not for hacking.
  • VisualRoute: Tracks geolocation and IP addresses.
  • ophcrack: Cracks Windows passwords using rainbow tables.

23. An attacker gains access to a network and installs a backdoor to maintain persistent access. What is the next step they would likely take?

A) Clearing logs to erase traces of intrusion
B) Escalating privileges to gain more control
C) Scanning the network for additional vulnerabilities
D) Exfiltrating sensitive data

Answer: B) Escalating privileges to gain more control

Explanation: After gaining a foothold in a system, attackers often attempt privilege escalation to gain administrator-level access, allowing them to execute more powerful commands and avoid detection.

Study Tip: “Foothold to Full Control”—Gaining access isn’t enough. Think like an attacker: Get in, go deeper, and secure dominance. Protect yourself by limiting user permissions and using role-based access control (RBAC).

24. A Penetration Tester is hired to test a company’s network security. The tester is given no prior knowledge of the network’s internal architecture. What type of test is this?

A) White-box test
B) Gray-box test
C) Black-box test
D) Vulnerability assessment

Answer: C) Black-box test

Explanation: A black-box test simulates an external attacker with no prior knowledge of the system. The tester must discover vulnerabilities from scratch using reconnaissance, scanning, and exploitation techniques.

Study Tip: “Black = Blind”—A black-box test means no inside knowledge. For better results, companies often combine black-box and white-box testing.

25. You are conducting an Advanced Persistent Threat (APT) simulation. Your goal is to maintain long-term access without detection. Which technique is most suitable?

A) Rootkit installation
B) Exploit execution
C) DDoS attack
D) SQL Injection

Answer: A) Rootkit installation

Explanation: Rootkits allow attackers to remain hidden inside a compromised system for long periods by modifying system processes and bypassing security defenses.

Study Tip: “Rootkits = Invisible Intruders”—Regular security scans and endpoint detection tools like EDR and SIEM can help detect hidden threats!

Master CEH with InfosecTrain

Mastering ethical hacking requires more than theoretical knowledge—it demands hands-on experience, real-world scenarios, and continuous learning. This guide covered top essential CEH questions, helping you understand key security concepts such as penetration testing, malware analysis, and cryptographic attacks.

While self-study is valuable, a structured learning approach accelerates success. InfosecTrain’s CEH Training Course provides:

  • Expert-Led Training: Learn from certified CEH professionals with industry experience.
  • Hands-On Labs: Gain practical skills through real-world hacking scenarios.
  • Exam-Focused Content: Covers the latest CEH v13 curriculum, including updated cyber threats and ethical hacking techniques.
  • Flexible Learning Options: Choose from self-paced, instructor-led, or corporate training tailored to your schedule.

Ready to take the next step? Elevate your CEH preparation with InfosecTrain’s CEH Training Course and become a Certified Ethical Hacker with confidence!

CEH v13 AI Certification Training

Enroll now! Visit InfosecTrain to learn more.

TRAINING CALENDAR of Upcoming Batches For CEH v13

Start Date End Date Start - End Time Batch Type Training Mode Batch Status
26-Apr-2025 01-Jun-2025 19:00 - 23:00 IST Weekend Online [ Close ]
11-May-2025 28-Jun-2025 09:00 - 13:00 IST Weekend Online [ Open ]
31-May-2025 06-Jul-2025 19:00 - 23:00 IST Weekend Online [ Open ]
07-Jun-2025 13-Jul-2025 09:00 - 13:00 IST Weekend Online [ Open ]
21-Jun-2025 27-Jul-2025 19:00 - 23:00 IST Weekend Online [ Open ]
CEH Exam Sprint- Strategy & Practice
TOP