Month End Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmaspas7

Easiest Solution 2 Pass Your Certification Exams

CEH-001 GAQM Certified Ethical Hacker (CEH) Free Practice Exam Questions (2025 Updated)

Prepare effectively for your GAQM CEH-001 Certified Ethical Hacker (CEH) certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.

Page: 2 / 7
Total 878 questions

You are the CIO for Avantes Finance International, a global finance company based in Geneva. You are responsible for network functions and logical security throughout the entire corporation. Your company has over 250 servers running Windows Server, 5000 workstations running Windows Vista, and 200 mobile users working from laptops on Windows 7.

Last week, 10 of your company's laptops were stolen from salesmen while at a conference in Amsterdam. These laptops contained proprietary company information. While doing damage assessment on the possible public relations nightmare this may become, a news story leaks about the stolen laptops and also that sensitive information from those computers was posted to a blog online.

What built-in Windows feature could you have implemented to protect the sensitive information on these laptops?

A.

You should have used 3DES which is built into Windows

B.

If you would have implemented Pretty Good Privacy (PGP) which is built into Windows, the sensitive information on the laptops would not have leaked out

C.

You should have utilized the built-in feature of Distributed File System (DFS) to protect the sensitive information on the laptops

D.

You could have implemented Encrypted File System (EFS) to encrypt the sensitive files on the laptops

In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled and confirmation is required before activation. The attackers then scam to collect not one but two credit card numbers, ATM PIN number and other personal details.

Ignorant users usually fall prey to this scam. Which of the following statement is incorrect related to this attack?

A.

Do not reply to email messages or popup ads asking for personal or financial information

B.

Do not trust telephone numbers in e-mails or popup ads

C.

Review credit card and bank account statements regularly

D.

Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks

E.

Do not send credit card numbers, and personal or financial information via e-mail

Michael is a junior security analyst working for the National Security Agency (NSA) working primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find different methods of deciphering terrorist messages. One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into a hidden file on the terrorist's computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server. What technique has Michael used to disguise this keylogging software?

A.

Steganography

B.

Wrapping

C.

ADS

D.

Hidden Channels

Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment.

Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it.

What kind of Denial of Service attack was best illustrated in the scenario above?

A.

Simple DDoS attack

B.

DoS attacks which involves flooding a network or system

C.

DoS attacks which involves crashing a network or system

D.

DoS attacks which is done accidentally or deliberately

John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?

A.

0xFFFFFFFFFFFF

B.

0xDDDDDDDDDDDD

C.

0xAAAAAAAAAAAA

D.

0xBBBBBBBBBBBB

One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker's source IP address.

You send a ping request to the broadcast address 192.168.5.255.

There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why?

A.

Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.

B.

Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.

C.

You should send a ping request with this command ping ? 192.168.5.0-255

D.

You cannot ping a broadcast address. The above scenario is wrong.

Study the snort rule given below and interpret the rule.

alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msG. "mountd access";)

A.

An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111

B.

An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet

C.

An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet

D.

An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response?

A.

These ports are open because they do not illicit a response.

B.

He can tell that these ports are in stealth mode.

C.

If a port does not respond to an XMAS scan using NMAP, that port is closed.

D.

The scan was not performed correctly using NMAP since all ports, no matter what their state, will illicit some sort of response from an XMAS scan.

How does a denial-of-service attack work?

A.

A hacker prevents a legitimate user (or group of users) from accessing a service

B.

A hacker uses every character, word, or letter he or she can think of to defeat authentication

C.

A hacker tries to decipher a password by using a system, which subsequently crashes the network

D.

A hacker attempts to imitate a legitimate user by confusing a computer or even another person

What is the command used to create a binary log file using tcpdump?

A.

tcpdump -w ./log

B.

tcpdump -r log

C.

tcpdump -vde logtcpdump -vde ? log

D.

tcpdump -l /var/log/

Finding tools to run dictionary and brute forcing attacks against FTP and Web servers is an easy task for hackers. They use tools such as arhontus or brutus to break into remote servers.

A command such as this, will attack a given 10.0.0.34 FTP and Telnet servers simultaneously with a list of passwords and a single login namE. linksys. Many FTP-specific password-guessing tools are also available from major security sites.

What defensive measures will you take to protect your network from these attacks?

A.

Never leave a default password

B.

Never use a password that can be found in a dictionary

C.

Never use a password related to your hobbies, pets, relatives, or date of birth.

D.

Use a word that has more than 21 characters from a dictionary as the password

E.

Never use a password related to the hostname, domain name, or anything else that can be found with whois

Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this?

A.

Use HTTP Tunneling

B.

Use Proxy Chaining

C.

Use TOR Network

D.

Use Reverse Chaining

In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.

A.

Token Injection Replay attacks

B.

Shoulder surfing attack

C.

Rainbow and Hash generation attack

D.

Dumpster diving attack

What is the default Password Hash Algorithm used by NTLMv2?

A.

MD4

B.

DES

C.

SHA-1

D.

MD5

Within the context of Computer Security, which of the following statements describes Social Engineering best?

A.

Social Engineering is the act of publicly disclosing information

B.

Social Engineering is the means put in place by human resource to perform time accounting

C.

Social Engineering is the act of getting needed information from a person rather than breaking into a system

D.

Social Engineering is a training program within sociology studies

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

http://foobar.com/index.html?id=%3Cscript%20src=%22http://baddomain.com/badscript.js%22%3E%3C/script%3E ">See foobar

What is this attack?

A.

Cross-site-scripting attack

B.

SQL Injection

C.

URL Traversal attack

D.

Buffer Overflow attack

Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65, 536 bytes. What is Lee seeing here?

A.

Lee is seeing activity indicative of a Smurf attack.

B.

Most likely, the ICMP packets are being sent in this manner to attempt IP spoofing.

C.

Lee is seeing a Ping of death attack.

D.

This is not unusual traffic, ICMP packets can be of any size.

Fred is the network administrator for his company. Fred is testing an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?

A.

Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer.

B.

He can send an IP packet with the SYN bit and the source address of his computer.

C.

Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.

D.

Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.

Take a look at the following attack on a Web Server using obstructed URL:

How would you protect from these attacks?

A.

Configure the Web Server to deny requests involving "hex encoded" characters

B.

Create rules in IDS to alert on strange Unicode requests

C.

Use SSL authentication on Web Servers

D.

Enable Active Scripts Detection at the firewall and routers

Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch.

In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full?

A.

Switch then acts as hub by broadcasting packets to all machines on the network

B.

The CAM overflow table will cause the switch to crash causing Denial of Service

C.

The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF

D.

Every packet is dropped and the switch sends out SNMP alerts to the IDS port

File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers?

A.

Use disable-eXchange

B.

Use mod_negotiation

C.

Use Stop_Files

D.

Use Lib_exchanges

Which of the following is NOT part of CEH Scanning Methodology?

A.

Check for Live systems

B.

Check for Open Ports

C.

Banner Grabbing

D.

Prepare Proxies

E.

Social Engineering attacks

F.

Scan for Vulnerabilities

G.

Draw Network Diagrams

Which definition below best describes a covert channel?

A.

A server program using a port that is not well known

B.

Making use of a protocol in a way it was not intended to be used

C.

It is the multiplexing taking place on a communication link

D.

It is one of the weak channels used by WEP that makes it insecure

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:

You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?

A.

Use the Cisco's TFTP default password to connect and download the configuration file

B.

Run a network sniffer and capture the returned traffic with the configuration file from the router

C.

Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address

D.

Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0

What type of attack is shown here?

A.

Bandwidth exhaust Attack

B.

Denial of Service Attack

C.

Cluster Service Attack

D.

Distributed Denial of Service Attack

What framework architecture is shown in this exhibit?

A.

Core Impact

B.

Metasploit

C.

Immunity Canvas

D.

Nessus

Which results will be returned with the following Google search query?

site:target.com -site:Marketing.target.com accounting

A.

Results matching all words in the query

B.

Results matching “accounting” in domain target.com but not on the site Marketing.target.com

C.

Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting

D.

Results for matches on target.com and Marketing.target.com that include the word “accounting”

A security administrator notices that the log file of the company`s webserver contains suspicious entries:

Based on source code analysis, the analyst concludes that the login.php script is vulnerable to

A.

command injection.

B.

SQL injection.

C.

directory traversal.

D.

LDAP injection.

When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire?

A.

Network tap

B.

Layer 3 switch

C.

Network bridge

D.

Application firewall

Which of the following items is unique to the N-tier architecture method of designing software applications?

A.

Application layers can be separated, allowing each layer to be upgraded independently from other layers.

B.

It is compatible with various databases including Access, Oracle, and SQL.

C.

Data security is tied into each layer and must be updated for all layers when any upgrade is performed.

D.

Application layers can be written in C, ASP.NET, or Delphi without any performance loss.

What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response?

A.

Passive

B.

Reflective

C.

Active

D.

Distributive

Which of the statements concerning proxy firewalls is correct?

A.

Proxy firewalls increase the speed and functionality of a network.

B.

Firewall proxy servers decentralize all activity for an application.

C.

Proxy firewalls block network packets from passing to and from a protected network.

D.

Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching what times the bank employees come into work and leave from work, searching the bank's job postings (paying special attention to IT related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in?

A.

Information reporting

B.

Vulnerability assessment

C.

Active information gathering

D.

Passive information gathering

A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's search form and introduces the following code in the search input fielD.

IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable");>"

When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable".

Which web applications vulnerability did the analyst discover?

A.

Cross-site request forgery

B.

Command injection

C.

Cross-site scripting

D.

SQL injection

A security policy will be more accepted by employees if it is consistent and has the support of

A.

coworkers.

B.

executive management.

C.

the security officer.

D.

a supervisor.

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Which of the following is the correct bit size of the Diffie-Hellman (DH) group 5?

A.

768 bit key

B.

1025 bit key

C.

1536 bit key

D.

2048 bit key

Which of the following is a detective control?

A.

Smart card authentication

B.

Security policy

C.

Audit trail

D.

Continuity of operations plan

Windows file servers commonly hold sensitive files, databases, passwords and more. Which of the following choices would be a common vulnerability that usually exposes them?

A.

Cross-site scripting

B.

SQL injection

C.

Missing patches

D.

CRLF injection

Smart cards use which protocol to transfer the certificate in a secure manner?

A.

Extensible Authentication Protocol (EAP)

B.

Point to Point Protocol (PPP)

C.

Point to Point Tunneling Protocol (PPTP)

D.

Layer 2 Tunneling Protocol (L2TP)

In keeping with the best practices of layered security, where are the best places to place intrusion detection/intrusion prevention systems? (Choose two.)

A.

HID/HIP (Host-based Intrusion Detection/Host-based Intrusion Prevention)

B.

NID/NIP (Node-based Intrusion Detection/Node-based Intrusion Prevention)

C.

NID/NIP (Network-based Intrusion Detection/Network-based Intrusion Prevention)

D.

CID/CIP (Computer-based Intrusion Detection/Computer-based Intrusion Prevention)

Page: 2 / 7
Total 878 questions
Copyright © 2014-2025 Solution2Pass. All Rights Reserved