Reconnaissance & Footprinting
Modules 1-4 — Information Gathering & Scanning
Question 01
An ethical hacker is gathering information about a target organization without directly interacting with their systems. Which type of reconnaissance is being performed?
APassive reconnaissance ✅
BActive reconnaissance
CVulnerability scanning
DPenetration testing
💡 Explanation: Passive reconnaissance collects information without directly interacting with the target. Examples include WHOIS lookups, searching social media, reviewing DNS records, using Shodan, Google dorking, and analyzing job postings. Active reconnaissance directly interacts with the target (port scanning, ping sweeps). The distinction between passive and active recon is heavily tested on CEH.
Question 02
Which Nmap scan type sends SYN packets and waits for SYN-ACK responses without completing the three-way handshake, making it stealthier than a full connect scan?
ATCP Connect scan (-sT)
BSYN/Stealth scan (-sS) ✅
CXMAS scan (-sX)
DUDP scan (-sU)
💡 Explanation: The SYN scan (also called half-open or stealth scan) sends SYN packets and analyzes responses without completing the TCP handshake — making it harder to detect in logs. If SYN-ACK is received, the port is open; RST means closed. TCP Connect completes the full handshake (more detectable), XMAS sets FIN/PSH/URG flags, and UDP scans target UDP ports. SYN scan is the default and most common Nmap scan.
Question 03
During the enumeration phase, an ethical hacker extracts user accounts, network shares, and group memberships from a Windows system using port 445. Which protocol is being enumerated?
ASNMP
BSMB (Server Message Block) ✅
CLDAP
DNTP
💡 Explanation: SMB (Server Message Block) runs on port 445 (and historically 139) and is used for file sharing on Windows networks. Enumerating SMB can reveal user accounts, shared folders, group policies, and OS versions. Tools like enum4linux, smbclient, and Nmap SMB scripts are commonly used. SNMP uses port 161, LDAP uses port 389, and NTP uses port 123.
2
System Hacking
Modules 5-6 — Gaining & Maintaining Access
Question 04
An attacker uses a precomputed table of password hashes to quickly reverse hashed passwords. What is this technique called?
ABrute force attack
BDictionary attack
CRainbow table attack ✅
DPass-the-hash attack
💡 Explanation: Rainbow tables are precomputed lookup tables that map hash values back to plaintext passwords, enabling fast password cracking. The defense against rainbow tables is salting — adding a random value to each password before hashing, which makes precomputed tables useless. Brute force tries all combinations, dictionary uses wordlists, and pass-the-hash uses captured hashes directly without cracking them.
Question 05
After gaining initial access to a system, an attacker installs a backdoor to maintain persistent access even after reboots. Which phase of the hacking methodology does this represent?
AGaining access
BMaintaining access ✅
CClearing tracks
DReconnaissance
💡 Explanation: The five phases of ethical hacking are: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Clearing Tracks. Installing backdoors, rootkits, or creating new user accounts falls under maintaining access. This ensures the attacker can return even if the original vulnerability is patched. Clearing tracks involves deleting logs and hiding evidence of compromise.
Question 06
Which technique allows an attacker to escalate privileges on a Linux system by exploiting a misconfigured binary that runs with elevated permissions?
AARP poisoning
BSUID bit exploitation ✅
CDNS spoofing
DSQL injection
💡 Explanation: The SUID (Set User ID) bit allows a file to execute with the permissions of the file owner (often root) regardless of who runs it. If a misconfigured binary has the SUID bit set, an attacker can exploit it to escalate from a regular user to root. The command find / -perm -4000 finds SUID binaries. GTFOBins is a common reference for exploitable SUID programs.
3
Web & Network Attacks
Modules 7-14 — Web Apps, Sessions, Networks
Question 07
An attacker injects the payload ' OR '1'='1' -- into a login form’s username field to bypass authentication. What type of attack is this?
ASQL Injection ✅
BCross-Site Scripting (XSS)
CCSRF (Cross-Site Request Forgery)
DCommand injection
💡 Explanation: SQL Injection occurs when an attacker inserts malicious SQL code into input fields to manipulate the backend database. The payload ' OR '1'='1' -- makes the WHERE clause always true, bypassing authentication. Prevention includes parameterized queries (prepared statements), input validation, and WAFs. SQLi remains one of the OWASP Top 10 and is heavily tested on CEH.
Question 08
An attacker positions themselves between two communicating parties, secretly intercepting and potentially altering their traffic. What is this attack called?
ADenial of Service (DoS)
BMan-in-the-Middle (MitM) ✅
CSession hijacking
DReplay attack
💡 Explanation: A Man-in-the-Middle (MitM) attack intercepts communication between two parties. The attacker can eavesdrop, modify data, or inject malicious content. Common MitM techniques include ARP spoofing, DNS spoofing, and SSL stripping. Prevention includes using HTTPS/TLS, certificate pinning, and HSTS. Tools like Ettercap and Bettercap are commonly used for MitM attacks in ethical hacking labs.
Question 09
Which type of XSS attack stores the malicious script permanently on the target server (e.g., in a database) and executes it every time a user visits the affected page?
AReflected XSS
BStored (Persistent) XSS ✅
CDOM-based XSS
DBlind XSS
💡 Explanation: Stored XSS (persistent XSS) injects malicious scripts that are permanently stored on the target server — such as in comments, forum posts, or user profiles. Every user who views the affected page executes the script. This is the most dangerous XSS type. Reflected XSS requires the victim to click a crafted link, and DOM-based XSS manipulates the page’s DOM without server involvement.
4
Malware & Social Engineering
Modules 7-9 — Threats, Trojans & Human Hacking
Question 10
Which type of malware encrypts a victim’s files and demands payment (usually in cryptocurrency) for the decryption key?
ATrojan horse
BWorm
CRansomware ✅
DSpyware
💡 Explanation: Ransomware encrypts files and demands a ransom (typically in Bitcoin or Monero) for the decryption key. Notable examples include WannaCry, NotPetya, REvil, and LockBit. Prevention includes regular offline backups, patching systems, email filtering, and user awareness training. A Trojan disguises itself as legitimate software, worms self-replicate across networks, and spyware secretly monitors user activity.
Question 11
An attacker sends a carefully crafted email pretending to be from the CEO, asking the CFO to urgently wire funds to a specific account. Which social engineering attack is this?
APhishing
BVishing
CSpear phishing / Whaling ✅
DPretexting
💡 Explanation: Whaling is a targeted spear phishing attack aimed at high-profile executives (CEO, CFO). Also called Business Email Compromise (BEC), it exploits authority and urgency to trick victims into transferring money or sharing sensitive data. Regular phishing targets anyone, spear phishing targets specific individuals, vishing uses voice calls, and pretexting creates a fabricated scenario to gain trust.
5
Cloud, IoT & Emerging Technologies
Modules 15-20 — Cloud, IoT, AI, Cryptography
Question 12
In a cloud environment, an attacker exploits a vulnerability in one virtual machine to break out of the VM and access the underlying hypervisor or other VMs on the same host. What is this attack called?
ASide-channel attack
BVM escape ✅
CContainer breakout
DPrivilege escalation
💡 Explanation: VM escape is a critical cloud security threat where an attacker breaks out of a guest virtual machine to interact with the host hypervisor or other VMs. This compromises the isolation that makes cloud computing secure. Examples include Venom (CVE-2015-3456) and exploits targeting Xen/KVM. Prevention includes keeping hypervisors patched, using hardware-assisted virtualization, and proper segmentation.
Question 13
Which encryption algorithm is an asymmetric (public-key) algorithm commonly used for secure key exchange and digital signatures?
AAES
BRSA ✅
CDES
DBlowfish
💡 Explanation: RSA (Rivest-Shamir-Adleman) is the most widely used asymmetric encryption algorithm. It uses a public key for encryption and a private key for decryption. RSA is commonly used for digital signatures, SSL/TLS certificates, and secure key exchange. AES, DES, and Blowfish are all symmetric algorithms (same key for encryption and decryption). Know the difference between symmetric and asymmetric for CEH.
Question 14
An IoT smart thermostat is using default factory credentials and is accessible from the internet. Which OWASP IoT Top 10 vulnerability does this represent?
AWeak, guessable, or hardcoded passwords ✅
BInsecure data transfer
CLack of device management
DInsecure ecosystem interfaces
💡 Explanation: Default credentials on IoT devices are the #1 IoT vulnerability according to OWASP IoT Top 10. Many devices ship with admin/admin or similar defaults that users never change. The Mirai botnet famously exploited default credentials on IoT devices to launch massive DDoS attacks. Always change default passwords, disable unnecessary services, and keep firmware updated on all IoT devices.
How hard is the CEH exam? The CEH (312-50) exam is considered moderately difficult. It contains 125 multiple-choice questions with a 4-hour time limit. The passing score is approximately 70% (varies by exam form). Most candidates with cybersecurity experience need 2-3 months of preparation. The exam tests broad knowledge across 20 modules covering ethical hacking tools, techniques, and methodologies.
How much does CEH cost? The CEH exam voucher costs $1,199 USD. However, if you attend EC-Council’s official training (around $2,000-$3,500), the exam voucher is included. Self-study candidates can apply for eligibility through EC-Council by proving 2 years of information security experience. The CEH Practical exam (hands-on lab) costs an additional $550.
Is CEH worth it in 2026? Yes — CEH remains one of the most recognized cybersecurity certifications worldwide. It is approved by the US Department of Defense (DoD 8140), valued by employers globally, and demonstrates practical ethical hacking skills. CEH-certified professionals earn an average salary of $95,000-$130,000 in the US. CEH v13 includes updated content on AI-driven attacks and cloud security.
CEH vs CompTIA Security+ — which is better? They serve different purposes. Security+ is a foundational certification covering broad security concepts — ideal for beginners and required for many government jobs. CEH is more specialized, focusing specifically on offensive security and penetration testing techniques. Ideally, get Security+ first as a foundation, then CEH to specialize in ethical hacking. Both are DoD-approved.
Leave a Comment