CEH Exam Questions For Free 2024

1. In one of the following attacks, an attacker has complete access to a plaintext message including its encryption, and they can modify the content of the message by making a series of interactive queries, choosing subsequent plaintext blocks based on the information from the previous encryption queries and functions. Which is this attack?

2. In a mode of authenticated encryption, the plaintext is first encrypted using a secret key. Then, a hash value is generated for the obtained cipher text and is attached to the cipher text before transmission. Identify this mode of authenticated encryption.

3. In a cipher mode of operation, the initialization vector (IV) stored in the shift register is sent as input to the encryption algorithm along with the secret key. From the result of encryption, the first S bits are selected to perform XOR with a plaintext block of size S to produce a cipher block. Identify this cipher mode of operation.

4. Which cipher encrypts the plain text digit (bit or byte) one by one?

5. Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?

6. Which of the following algorithms uses a sponge construction where message blocks are XORed into the initial bits of the state that the algorithm then invertibly permutes?

7. Which of the following symmetric-key block ciphers uses a 128-bit symmetric block cipher with key sizes of 128, 192, and 256 bits and can be easily integrated into software or hardware programs without any restrictions?

8. Which of the following terms refers to on-premises or cloud-hosted solutions for enforcing security, compliance, and governance policies in cloud applications?

9. Which of the following best practices allows security professionals to secure the docker environment?

10. In which of the following attacks does an attacker exploit the vulnerability residing in a bare-metal cloud server and use it to implant a malicious backdoor in its firmware?

11. In which of the following attacks does an attacker abuse cloud file synchronization services, such as Google Drive and DropBox, for data compromise, command and control, data exfiltration, and remote access?

12. Highlander, Incorporated, is a medical insurance company with several regional company offices in North America. There are various types of employees working in the company, including technical teams, sales teams, and work-from-home employees. Highlander takes care of the security patches and updates of official computers and laptops; however, the computers or laptops of the work-from-home employees are to be managed by the employees or their ISPs. Highlander employs various group policies to restrict the installation of any third-party applications.

As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company email in order to respond to requests for updates. Employees are responsible for keeping their phones up to date with the latest patches. The phones are not used to directly connect to any other resources in the Highlander, Incorporated, network.

The database that hosts the information collected from the insurance application is hosted on a cloud-based file server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-based file server, and the company uses work folders to synchronize offline copies back to their devices. Apart from Highlander employees, no one can access the cloud service.

What type of cloud service is Highlander using?

13. Which of the following cloud deployment models is a combination of two or more clouds that remain unique entities but are bound together, where an organization makes available and manages some resources in-house and provides other resources externally?

14. Which of the following cloud services provides features such as single sign-on, multi-factor authentication, identity governance and administration, access management, and intelligence collection?

15. Which of the following online tools allows attackers to discover the default credentials of a device or product simply by entering the device name or manufacturer name?

16. Which of the following levels of the Purdue model uses protocols such as 6LoWPAN, DNP3, DNS/DNSSEC, FTE, HART-IP, IEC 60870-5-101/104, and SOAP?

17. Which of the following components of an industrial control system is a small solid-state control computer where instructions can be customized to perform a specific task?

18. Which of the following IoT technology components bridges the gap between the IoT device and the end user?

19. Which of the following protocols is a type of LAN that consists of a wired connection between computers in a small building, office, or campus?

20. In which of the following IoT attacks does an attacker extract information about encryption keys by observing the emission of signals?

21. Identify the practice that can make mobile devices susceptible to different types of cyber threats.

22. Which of the following mobile bluetooth attacks enables an attacker to gain remote access to the victims mobile and use its features without the victim’s knowledge or consent?

23. In which of the following attacks does an attacker exploit vulnerabilities in the SSL/TLS implementation on websites and invisibly downgrade connections to HTTP without encryption?

24. Which of the following attacks is performed by attackers to eavesdrop on existing network connections between two systems, intrude, and then read or modify data?

25. Which of the following practices makes the Bluetooth-enabled devices of an organization vulnerable to various attacks?

26. Mark is working as a penetration tester in InfoSEC, Inc. One day, he notices that the traffic on the internal wireless router suddenly increases by more than 50%. He knows that the company is using a wireless 802.11 a/b/g/n/ac network. He decided to capture live packets and browse the traffic to investigate the issue to find out the actual cause. Which of the following tools should Mark use to monitor the wireless network?

27. Kenneth, a professional penetration tester, was hired by the XYZ Company to conduct wireless network penetration testing. Kenneth proceeds with the standard steps of wireless penetration testing. He tries to collect lots of initialization vectors (IVs) using the injection method to crack the WEP key. He uses the aircrack-ng tool to capture the IVs from a specific AP. Which of the following aircrack-ng commands will help Kenneth to do this?

28. John is a pen tester working with an information security consultant based in Paris. As part of a penetration testing assignment, he was asked to perform wireless penetration testing for a large MNC. John knows that the company provides free Wi-Fi access to its employees on the company premises. He sets up a rogue wireless access point with the same SSID as that of the company’s Wi-Fi network just outside the company premises. He sets up this rogue access point using the tools that he has and hopes that the employees might connect to it. What type of wireless confidentiality attack is John trying to do?

29. WPA2 uses AES for wireless data encryption at which of the following encryption levels?

30. Which of the following Wi-Fi security protocols uses GCMP-256 for encryption and HMAC-SHA-384 for authentication?

31. Which of the following is a standard for Wireless Local Area Networks (WLANs) that provides improved encryption for networks that use 802.11a, 802.11b, and 802.11g standards?

32. Which of the following terms describes the amount of information that may be broadcast over a connection?

33. In which of the following evasion techniques does an attacker use a WHERE statement that is always evaluated as “true” so that any mathematical or string comparison can be used, such as “’ or ‘1’=’1’”?

34. A tester has been hired to perform source code review of a web application to detect SQL injection vulnerabilities. As part of the testing process, he needs to get all the information about the project from the development team. During the discussion with the development team, he comes to know that the project is in the initial stage of the development cycle. As per the above scenario, which of the following processes does the tester need to follow in order to save the company’s time and money?

35. Which of the following functions can be used by an attacker to link a target SQL server’s database to the attacker’s own machine and retrieve data from the target SQL server database?

36. In which of the following techniques does an attacker use logical requests such as AND/OR to bypass a firewall?

37. Which of the following attacks allows an attacker to inject malicious content, modify the user´s online experience, and obtain unauthorized information?

38. Which of the following practices helps security professionals prevent SQL injection attacks and safeguard organizational data?

39. If your web application sets any cookie with a secure attribute, what does this mean?

40. Which of the following attacks occurs when attackers obtain a clone of a cookie from the user’s browser and use it to establish a session with the target web server and further allow attackers to access a user’s web services without providing any identity?

41. While testing web applications, you attempt to insert the following test script into the search area on the company’s website:

<script>alert(“Testing Testing Testing”)</script>

Afterwards, when you press the search button, a pop up box appears on your screen with the text, “Testing Testing Testing.” What vulnerability is detected in the web application here?

42. Which of the following is an application security threat that occurs when an application includes untrusted data in a new web page without proper validation or escaping or when an application updates an existing web page with user-supplied data?

43. Which of the following provides an interface between end users and webservers?

44. In which layer of the web application vulnerability stack does an attacker exploit business-logic flaws and technical vulnerabilities to perform input validation attacks such as XSS?

45. Andrew, a software developer in CyberTech organization has released a security update that acts as defensive technique against the vulnerabilities in the software product the company has released earlier. Identify the technique used by Andrew to resolve the software vulnerabilities?

46. Which of the following is a web crawler optimized for searching and analyzing directories, and it can find interesting results if the server has the “index of” mode enabled?

47. Which of the following command does an attacker use to enumerate common web applications?

48. Which of the following is a web security testing tool that can be used by an attacker to predict and use the next possible session ID token to take over a valid session?

49. Which of the following countermeasures should be followed to defend against DNS hijacking?

50. Which of the following stores a server’s configuration, error, executable, and log files?

51. The security analyst for Danels Company arrives this morning to his office and verifies the primary home page of the company. He notes that the page has the logo of the competition and writings that do not correspond to the true page. What kind of attack do the observed signals correspond to?

52. In which of the following attack types does an attacker exploit the trust of an authenticated user to pass malicious code or commands to a web server?

53. One of the following techniques redirects all malicious network traffic to a honeypot after any intrusion attempt is detected. Attackers can identify such honeypots by examining specific TCP/IP parameters such as the round-trip time (RTT), time to live (TTL), and TCP timestamp. Which is this technique?

54. Which of the following techniques manipulates the TCP/IP stack and is effectively employed to slow down the spread of worms and backdoors?

55. An attacker hides the shellcode by encrypting it with an unknown encryption algorithm and by including the decryption code as part of the attack packet. He encodes the payload and then places a decoder before the payload. Identify the type of attack executed by attacker.

56. One of the following is an IDS evasion technique used by an attacker to send a huge amount of unnecessary traffic to produce noise or fake traffic. If the IDS does not analyze the noise traffic, the true attack traffic goes undetected. Which is this IDS evasion technique?

57. Which of the following is a malware research tool that allows security analysts to detect and classify malware or other malicious codes through a rule-based approach?

58. Which of the following techniques creates a safe and encrypted tunnel over a public network to securely send and receive sensitive information and prevents attackers from decrypting the data flow between the endpoints?

59. Which of the following countermeasures should be followed to defend against session hijacking?

60. In which of the following attacks does an attacker seize control of a valid TCP communication session between two computers and gain access to a machine while a session is in progress?

61. When a client’s computer is infected with malicious software which connects to the remote computer to receive commands, the client’s computer is called a ___________

62. Which of the following scanning methods makes use of the information obtained from an infected machine to find new vulnerable machines in a target network?

63. Which of the following practices can make an organization’s network vulnerable to insider threats?

64. Which of the following signs is an indication of identity theft?

65. In which of the following techniques does an attacker use cache poisoning to redirect the connection between an IP address and its target server?

66. Given below are the different phases involved in a social engineering attack.

1. Develop a relationship
2. Research the target company
3. Select a target
4. Exploit the relationship
   Identify the correct sequence of steps involved in a social engineering attack.

67. In which of the following social engineering contexts does an attacker create a feeling of urgency in a decision-making process and controls the victim’s state of mind to obtain information?

68. A tester is attempting to capture and analyze the traffic on a given network and realizes that the network has several switches. What could be used to successfully sniff the traffic on this switched network? (Choose three.)

69. Cyrus, a professional hacker, performed an ARP poisoning attack on a target network by using an automated tool. The tool used by Cyrus sends fake ARP messages to divert all communications between two machines so that all traffic is redirected through his machine.

Which of the following tools did Cyrus employ in the above scenario?

70. Which of the following DHCPv6 messages is sent by a client to the server to indicate that the network address is already in use?

71. Which of the following practices makes organizational systems vulnerable to virus and worm attacks?

72. Javier works as a security analyst for a small company. He has heard about a new threat; a new malware that the antivirus does not detect yet. Javier has the hash for the new virus. What can Javier do to proactively protect his company?

73. Which of the following countermeasures helps security professionals in preventing Trojan attacks?

74. Stephany is worried because in the past six weeks she has received two and three times the amount of e-mails that she usually receives, and most of it is not related to her work. What kind of problem is Stephany facing?

75. Ransomware encrypts the files and locks systems, thereby leaving the system in an unusable state. The compromised user has to pay ransom to the attacker to unlock the system and get the files decrypted. Petya delivers malicious code can that even destroy the data with no scope of recovery. What is this malicious code called?

76. In which of the following techniques does an attacker use tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to obtain higher rankings for malware pages on a web search?

77. What is the best defense against a privilege escalation vulnerability?

78. Which of the following is a shim that runs in the user mode and is used by attackers to bypass UAC and perform different attacks including the disabling of Windows Defender and backdoor installation?

79. Gary, a professional hacker, is attempting to access an organization’s systems remotely. In this process, he used a tool to recover the passwords of the target system and gain unauthorized access to critical files and other system software.

Which of the following tools did Gary use to crack the passwords of the target system?

80. Lee, a professional hacker, decided to launch a few attacks on an organization to test his hacking skills. In this process, he employed a password cracking technique in which he merged the entries of one dictionary with those of another dictionary to produce full names and compound words, consequently cracking a password on the target system.

Which of the following password attacks did Lee perform in the above scenario?

81. Which of the following countermeasures should be followed to protect systems against password cracking?

82. Which of the following malware masks itself as a benign application or software that initially appears to perform a desirable or benign function but steals information from a system?

83. John, an ethical hacker, is performing a vulnerability assessment on an organization’s network. He used tools such as fuzzers to discover and identify previously unknown vulnerabilities in the system and tested whether a product is resistant to a known vulnerability.

Which of the following types of vulnerability assessment tools did John employ?

84. Which of the following types of vulnerability assessment solutions starts by building an inventory of the protocols, services, and vulnerabilities found on a machine and executes only the relevant tests?

85. Which of the following terms is referred to as an undesirable incident that occurs when software or a system program depends on the execution of processes in a sequence and on the timing of the programs?

86. Sam, a newly joined security auditor, was tasked with deploying updates for all the devices connected to a network. Before deploying the updates, he analyzed the network and found many unknown devices connected to the organization’s LAN. He failed to understand the topology because the newly added assets were not documented properly.

Identify the type of vulnerability demonstrated in the above scenario.

87. Highlander, Incorporated, is a medical insurance company with several regional company offices in North America. There are various types of employees working in the company, including technical teams, sales teams, and work-from-home employees. Highlander takes care of the security patches and updates of official computers and laptops; however, the computers or laptops of the work-from-home employees are to be managed by the employees or their ISPs. Highlander employs various group policies to restrict the installation of any third-party applications.

As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company email in order to respond to requests for updates. Employees are responsible for keeping their phones up to date with the latest patches. The phones are not used to directly connect to any other resources in the Highlander, Incorporated, network. The company is concerned about the potential vulnerabilities that could exist on their devices.

What would be the best type of vulnerability assessment for the employees’ smartphones?

88. Which of the following types of vulnerability assessment sniffs the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities?

89. What is the correct order for vulnerability management life cycle?

90. A newly discovered flaw in a software application would be considered as which kind of security vulnerability?

91. Which of the following online resources helps an attacker in performing vulnerability research?

92. Which of the following practices helps security experts prevent external LDAP enumeration attempts within a network?

93. Which of the following protocols is responsible for synchronizing clocks of networked computers?

94. Which of the following windows utilities allow an attacker to perform NetBIOS enumeration?

95. Which of the following tools allows attackers to perform LDAP enumeration on the target network?

96. Alfred, a professional hacker, was performing SNMP enumeration on a target network. In this process, he executed an nmap command that lists all the running SNMP processes along with the associated ports on the target host.

Identify the command executed by Alfred in the above scenario.

97. Which of the following ports provides a name-resolution service for computers running NetBIOS that is also known as the Windows Internet Name Service (WINS)?

98. Which of the following scans detects when a port is open after completing the three-way handshake, establishes a full connection, and closes the connection by sending an RST packet?

99. Which of the following practices helps security professionals defend a network or service against port scanning attempts?

100. Which of the following is the best practice to follow to secure a system or network against port scanning?

101. Which of the following IDS/firewall evasion techniques helps an attacker increase their Internet anonymity?

102. A penetration tester is conducting a port scan on a specific host. The tester found several open ports that were confusing in concluding the operating system (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

103. In which of the following scanning techniques does an attacker send a spoofed source address to a computer to determine the available services?

104. Which of the following protocols uses the port number 88/TCP and can verify the identity of a user or host connected to a network?

105. Which of the following open-source tools would be the best choice to scan a network for potential targets?

106. Which of the following hping commands is used by an attacker to collect the initial sequence number?

107. Which of the following TCP communication flags confirms the receipt of a transmission and identifies the next expected sequence number?

108. Which of the following practices allows security professionals to defend an organization’s network against footprinting attempts?

109. Which of the following tools consists of a publicly available set of databases that contain personal information of domain owners?

110. Which results will be returned with the following Google search query?

site:target.com -site:Marketing.target.com accounting

111. Sean works as a professional ethical hacker and penetration tester. He is assigned a project for information gathering on a client’s network. He started penetration testing and was trying to find out the company’s internal URLs, looking for any information about the different departments and business units. Sean was unable find any information.

What should Sean do to get the information he needs?

112. Which of the following types of DNS records points to a host’s IP address?

113. Which of the following activities of a user on social networking sites helps an attacker footprint or collect the identity of the user’s family members, the user’s interests, and related information?

114. Which of the following search engine tools helps an attacker use an image as a search query and track the original source and details of images, such as photographs, profile pictures, and memes?

115. Smith, a professional hacker, has targeted an organization. He employed some footprinting tools to scan through all the domains, subdomains, reachable IP addresses, DNS records, and Whois records to perform further attacks.

What is the type of information Smith has extracted through the footprinting attempt?

116. What type of information is gathered by an attacker through Whois database analysis and tracerouting?

117. Given below are the four key steps of the risk management phase.
1. Risk treatment
2. Risk tracking and review
3. Risk assessment
4. Risk identification
What is the correct sequence of steps involved in the risk management phase?

118. Which of the following phases of incident handling and response helps responders prevent the spread of infection to other organizational assets and avoid additional damage?

119. Bob recently joined an organization and completed his training. His work involved dealing with important documents of the organization. On one Sunday, he connected to the corporate network by providing authentication credentials to access a file online from his residence.

Which of the following elements of information security was demonstrated in the above scenario?

120. Lisa, a security analyst, was tasked with analyzing and documenting the possibility of cyberattacks against an organization. In this task, she followed the diamond model of intrusion analysis. During the initial analysis, Lisa started determining the strategies, methods, procedures, or tools that an attacker might use against the organization’s network.
Which of the following features of the diamond model did Lisa employ in the above scenario?

121. In which of the following phases of the cyber kill chain methodology does an adversary select or create a tailored deliverable malicious payload using an
exploit and a backdoor to send it to the victim?

122. James, a professional hacker, is performing an attack on a target organization. He succeeded in gathering information about the target and identified vulnerabilities existing in the target network. He is now in the process of exploiting the vulnerabilities to enter the target’s network and escalate privileges so that he can have complete access to the target system.

Which of the following phases of hacking is James currently in?

123. Which of the following information security elements includes a checksum and access control to verify that a given block of data is not changed in transit and ensures that only authorized personnel can update, add, or delete data?

124. Which of the following close-in attacks is performed by an attacker to gather information by observing the target’s activity at the closest proximity?

125. Which of the following techniques does an attacker use to snoop on the communication between users or devices and record private information to launch passive attacks?