Month End Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmaspas7

Easiest Solution 2 Pass Your Certification Exams

CEH-001 GAQM Certified Ethical Hacker (CEH) Free Practice Exam Questions (2025 Updated)

Prepare effectively for your GAQM CEH-001 Certified Ethical Hacker (CEH) certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.

GAQM CEH-001 Premium Access     Download Demo    
Page: 4 / 7
Total 878 questions

Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety?

A.

Restore a random file.

B.

Perform a full restore.

C.

Read the first 512 bytes of the tape.

D.

Read the last 512 bytes of the tape.

While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input?

A.

Validate web content input for query strings.

B.

Validate web content input with scanning tools.

C.

Validate web content input for type, length, and range.

D.

Validate web content input for extraneous queries.

When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the Source IP address and Destination IP address are the same. There have been no alerts sent via email or logged in the IDS. Which type of an alert is this?

A.

False positive

B.

False negative

C.

True positive

D.

True negative

Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

A.

Teardrop

B.

SYN flood

C.

Smurf attack

D.

Ping of death

A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court. What is the ethical response?

A.

Say no; the friend is not the owner of the account.

B.

Say yes; the friend needs help to gather evidence.

C.

Say yes; do the job for free.

D.

Say no; make sure that the friend knows the risk she’s asking the CEH to take.

Which of the following open source tools would be the best choice to scan a network for potential targets?

A.

NMAP

B.

NIKTO

C.

CAIN

D.

John the Ripper

Which of the following examples best represents a logical or technical control?

A.

Security tokens

B.

Heating and air conditioning

C.

Smoke and fire alarms

D.

Corporate security policy

An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets?

A.

The wireless card was not turned on.

B.

The wrong network card drivers were in use by Wireshark.

C.

On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.

D.

Certain operating systems and adapters do not collect the management or control packets.

Which statement is TRUE regarding network firewalls preventing Web Application attacks?

A.

Network firewalls can prevent attacks because they can detect malicious HTTP traffic.

B.

Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.

C.

Network firewalls can prevent attacks if they are properly configured.

D.

Network firewalls cannot prevent attacks because they are too complex to configure.

Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?

A.

They are written in Java.

B.

They send alerts to security monitors.

C.

They use the same packet analysis engine.

D.

They use the same packet capture utility.

Which cipher encrypts the plain text digit (bit or byte) one by one?

A.

Classical cipher

B.

Block cipher

C.

Modern cipher

D.

Stream cipher

A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit?

A.

Issue the pivot exploit and set the meterpreter.

B.

Reconfigure the network settings in the meterpreter.

C.

Set the payload to propagate through the meterpreter.

D.

Create a route statement in the meterpreter.

A person approaches a network administrator and wants advice on how to send encrypted email from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryption protocol that the network administrator should recommend?

A.

IP Security (IPSEC)

B.

Multipurpose Internet Mail Extensions (MIME)

C.

Pretty Good Privacy (PGP)

D.

Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

Which of the following tools can be used to perform a zone transfer?

A.

NSLookup

B.

Finger

C.

Dig

D.

Sam Spade

E.

Host

F.

Netcat

G.

Neotrace

SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts.

Which of the following features makes this possible? (Choose two)

A.

It used TCP as the underlying protocol.

B.

It uses community string that is transmitted in clear text.

C.

It is susceptible to sniffing.

D.

It is used by all network devices on the market.

While footprinting a network, what port/service should you look for to attempt a zone transfer?

A.

53 UDP

B.

53 TCP

C.

25 UDP

D.

25 TCP

E.

161 UDP

F.

22 TCP

G.

60 TCP

When Nmap performs a ping sweep, which of the following sets of requests does it send to the target device?

A.

ICMP ECHO_REQUEST & TCP SYN

B.

ICMP ECHO_REQUEST & TCP ACK

C.

ICMP ECHO_REPLY & TFP RST

D.

ICMP ECHO_REPLY & TCP FIN

Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?

05/20-17:0645.061034 192.160.13.4:31337 --> 172.16.1.101:1

TCP TTL:44 TOS:0x10 ID:242

***FRP** Seq:0xA1D95  Ack:0x53  Win: 0x400

What is odd about this attack? (Choose the most appropriate statement)

A.

This is not a spoofed packet as the IP stack has increasing numbers for the three flags.

B.

This is back orifice activity as the scan comes from port 31337.

C.

The attacker wants to avoid creating a sub-carrier connection that is not normally valid.

D.

There packets were created by a tool; they were not created by a standard IP stack.

You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of which protocols are being used. You need to discover as many different protocols as possible.

Which kind of scan would you use to achieve this? (Choose the best answer)

A.

Nessus scan with TCP based pings.

B.

Nmap scan with the –sP (Ping scan) switch.

C.

Netcat scan with the –u –e switches.

D.

Nmap with the –sO (Raw IP packets) switch.

While performing a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13 for all the pings sent out.

What is the most likely cause behind this response?

A.

The firewall is dropping the packets.

B.

An in-line IDS is dropping the packets.

C.

A router is blocking ICMP.

D.

The host does not respond to ICMP packets.

One of your team members has asked you to analyze the following SOA record. What is the version?

Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600

3600 604800 2400.

A.

200303028

B.

3600

C.

604800

D.

2400

E.

60

F.

4800

Which of the following is an automated vulnerability assessment tool?

A.

Whack a Mole

B.

Nmap

C.

Nessus

D.

Kismet

E.

Jill32

Which of the following commands runs snort in packet logger mode?

A.

./snort -dev -h ./log

B.

./snort -dev -l ./log

C.

./snort -dev -o ./log

D.

./snort -dev -p ./log

Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

A.

SYN scan

B.

ACK scan

C.

RST scan

D.

Connect scan

E.

FIN scan

An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

A.

2

B.

256

C.

512

D.

Over 10, 000

Which of the following Nmap commands would be used to perform a stack fingerprinting?

A.

Nmap -O -p80

B.

Nmap -hU -Q

C.

Nmap -sT -p

D.

Nmap -u -o -w2

E.

Nmap -sS -0p target

Which of the following command line switch would you use for OS detection in Nmap?

A.

-D

B.

-O

C.

-P

D.

-X

Your lab partner is trying to find out more information about a competitors web site. The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first?

A.

LACNIC

B.

ARIN

C.

APNIC

D.

RIPE

E.

AfriNIC

What is the disadvantage of an automated vulnerability assessment tool?

A.

Ineffective

B.

Slow

C.

Prone to false positives

D.

Prone to false negatives

E.

Noisy

What flags are set in a X-MAS scan?(Choose all that apply.

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

URG

Which of the following systems would not respond correctly to an nmap XMAS scan?

A.

Windows 2000 Server running IIS 5

B.

Any Solaris version running SAMBA Server

C.

Any version of IRIX

D.

RedHat Linux 8.0 running Apache Web Server

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

A.

It is a network fault and the originating machine is in a network loop

B.

It is a worm that is malfunctioning or hardcoded to scan on port 500

C.

The attacker is trying to detect machines on the network which have SSL enabled

D.

The attacker is trying to determine the type of VPN implementation and checking for IPSec

Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption, and enabling MAC filtering on his wireless router. Paul notices that when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24Mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. What is Paul seeing here?

A.

MAC spoofing

B.

Macof

C.

ARP spoofing

D.

DNS spoofing

Which of the following tools are used for footprinting? (Choose four)

A.

Sam Spade

B.

NSLookup

C.

Traceroute

D.

Neotrace

E.

Cheops

What are the default passwords used by SNMP? (Choose two.)

A.

Password

B.

SA

C.

Private

D.

Administrator

E.

Public

F.

Blank

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.

A.

John

B.

Rebecca

C.

Sheela

D.

Shawn

E.

Somia

F.

Chang

G.

Micah

What type of port scan is shown below?

A.

Idle Scan

B.

Windows Scan

C.

XMAS Scan

D.

SYN Stealth Scan

Because UDP is a connectionless protocol: (Select 2)

A.

UDP recvfrom() and write() scanning will yield reliable results

B.

It can only be used for Connect scans

C.

It can only be used for SYN scans

D.

There is no guarantee that the UDP packets will arrive at their destination

E.

ICMP port unreachable messages may not be returned successfully

You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs?

A.

The zombie you are using is not truly idle.

B.

A stateful inspection firewall is resetting your queries.

C.

Hping2 cannot be used for idle scanning.

D.

These ports are actually open on the target system.

Which of the following is considered an acceptable option when managing a risk?

A.

Reject the risk.

B.

Deny the risk.

C.

Mitigate the risk.

D.

Initiate the risk.

GAQM CEH-001 Premium Access     Download Demo    
Page: 4 / 7
Total 878 questions
Copyright © 2014-2025 Solution2Pass. All Rights Reserved