Network and Perimeter Hacking for Certified Ethical Hacker (CEH)

Sample Practice Questions

1. Question 1

   A penetration tester is assigned to evaluate a bank's network infrastructure. During the test, the tester notices that the Intrusion Detection System (IDS) is aggressively blocking their scanning attempts. Which technique should the tester use to effectively bypass the IDS without triggering alerts?
   1. A. Use fragmented packet scanning
   2. B. Increase the scan speed
   3. C. Disable the IDS temporarily
   4. D. Switch to a different network protocol
   Explanation

   The correct answer is: A. Use fragmented packet scanning.

   Fragmented packet scanning splits probe packets into small fragments so that the IDS may not reassemble them correctly or may fail to match signatures that expect full packets. Many IDS/IPS devices have had weaknesses in fragment reassembly, so fragmentation can evade detection while still allowing the scanner (e.g., Nmap with `-f`) to get responses. Increasing scan speed (B) can make detection *harder* for some IDS but often increases alerting (more traffic in a short time). Disabling the IDS (C) is not a --technique-- the tester uses--it would require client approval and would change the environment; it is not --bypassing-- the IDS. Switching protocol (D) does not address IDS signature-based detection of scanning. Fragmented packet scanning is the appropriate evasion technique here.

2. Question 2

   Which of the following describes a technique used to map out the firewall rules of a target network?
   1. A. ACK Scan
   2. B. SYN Flood
   3. C. Port Mirroring
   4. D. DNS Spoofing
   Explanation

   The correct answer is: A. ACK Scan.

   An ACK scan sends TCP packets with only the ACK flag set (no SYN). Because there is no full handshake, the target--s response (or lack of response) can reveal firewall behavior: filtered ports often drop ACK packets (no response), while open or unfiltered ports may send RST. This helps map which ports are filtered by a firewall versus open/closed. SYN flood (B) is a DoS attack that floods with SYN packets; it does not map firewall rules. Port mirroring (C) is a switch feature to copy traffic to a monitoring port; it is not an attack or scanning technique. DNS spoofing (D) is poisoning DNS responses and does not map firewall rules. ACK scan is the technique used to map firewall filtering behavior.

3. Question 3

   During a scan, you notice that specific ports consistently show as open/filtered. What might this indicate?
   1. A. The ports are open but unused.
   2. B. The ports are filtered by a firewall.
   3. C. The ports are closed but being probed.
   4. D. The ports are open and actively monitored.
   Explanation

   The correct answer is: B. The ports are filtered by a firewall..

   In Nmap, open/filtered means the scanner could not determine whether the port is open or filtered: no response (or an ambiguous one) was received. This commonly indicates that a firewall (or ACL) is filtering the probes--dropping or not responding to the scan packets--so the port appears neither clearly open nor clearly closed. Open but unused (A) would typically show as --open-- with a service; open/filtered is about ambiguity due to filtering. Closed but being probed (C) does not explain --open/filtered.-- Open and actively monitored (D) might be true in some environments but is not what --open/filtered-- is defined to mean. The state --open/filtered-- most directly indicates that the ports are likely filtered by a firewall.

4. Question 4

   You are assessing a network's resilience to DoS attacks. Which tool would be most appropriate for testing the network's response to malformed packets?
   1. A. Wireshark
   2. B. Hping3
   3. C. Burp Suite
   4. D. John the Ripper
   Explanation

   The correct answer is: B. Hping3.

   Hping3 is a packet-crafting tool that can build custom TCP/IP packets (including malformed or unusual packets) and send them to a target. For testing resilience to DoS (e.g., SYN flood, malformed packets), you use Hping3 to generate the test traffic and observe how the target responds. Wireshark (A) captures and analyzes traffic; it does not send malformed packets. Burp Suite (C) is for HTTP/web testing, not low-level malformed packet DoS testing. John the Ripper (D) is for password cracking. For testing a network--s response to malformed packets in a DoS context, Hping3 (or similar tools like Scapy) is the most appropriate tool.

5. Question 5

   During a network scan, you wish to increase the speed of your network scanning activities. Which Nmap timing option should you use?
   1. A. Nmap -T0
   2. B. Nmap -T5
   3. C. Nmap -T3
   4. D. Nmap -T1
   Explanation

   The correct answer is: B. Nmap -T5.

   Nmap--s timing template (`-T0` through `-T5`) controls how aggressive the scan is. -T5 (--insane--) is the fastest: minimal delays between probes, parallel host and port scanning, so it increases scan speed the most. -T0 (A) is the slowest (paranoid), for stealth. -T1 (D) is slow (sneaky). -T3 (C) is the default (normal). To increase speed, you use a higher template; -T5 is the correct choice. Note: faster scans are noisier and more likely to trigger IDS or cause packet loss; use within authorized scope only.

Other Certified Ethical Hacker (CEH) domains

• Cloud Computing (10 questions)
• Cryptography (14 questions)
• Information Security and Ethical Hacking Overview (33 questions)
• Mobile, IOT and OT Hacking (14 questions)
• Reconnaissance Techniques (24 questions)
• System Hacking Phases (14 questions)
• Web Application Hacking (44 questions)
• Wireless Network Hacking (27 questions)