System Hacking Phases for Certified Ethical Hacker (CEH)

Sample Practice Questions

1. Question 1

   You have obtained a hash dump from a compromised Windows machine. Which tool can you use to crack these hashes?
   1. A. Ncat
   2. B. John the Ripper
   3. C. Nmap
   4. D. Sqlmap
   Explanation

   The correct answer is: B. John the Ripper.

   John the Ripper is a password-cracking and hash-cracking tool that supports many hash types, including Windows NTLM and LM hashes commonly found in SAM dumps. You feed it the hash dump (or a file of hashes), choose the format (e.g., NTLM, LM), and run dictionary, rule-based, or brute-force attacks to recover plaintext passwords. Ncat (A) is a network utility (read/write connections); it does not crack hashes. Nmap (C) is for network scanning and discovery. Sqlmap (D) is for finding and exploiting SQL injection, not for cracking Windows password hashes. For cracking hashes from a Windows hash dump, John the Ripper (or Hashcat) is the standard tool.

2. Question 2

   During a penetration test, you gain access to a Windows system and find that the LM hashes in the SAM file are enabled. What tool can you use to crack these hashes quickly?
   1. A. John the Ripper
   2. B. Hydra
   3. C. Wireshark
   4. D. Burp Suite
   Explanation

   The correct answer is: A. John the Ripper.

   LM (LAN Manager) hashes are legacy Windows password hashes that are weak by design: they use a broken scheme, are limited to 14 characters (split into two 7-character halves), and can be cracked very quickly with modern tools. John the Ripper supports LM hashes and can crack them rapidly using dictionary or brute-force attacks. Hydra (B) is used for live login brute-forcing (e.g., SSH, HTTP, RDP), not for offline hash cracking. Wireshark (C) is a packet analyzer. Burp Suite (D) is for web application testing. For cracking LM hashes extracted from the SAM file, John the Ripper (or Hashcat) is the appropriate tool.

3. Question 3

   During a penetration test, you need to gain access to a Windows server using a known vulnerability in the SMB protocol. Which tool would be most appropriate for exploiting this vulnerability?
   1. A. Nmap
   2. B. Metasploit
   3. C. Wireshark
   4. D. John the Ripper
   Explanation

   The correct answer is: B. Metasploit.

   Metasploit is an exploitation framework that includes modules for SMB vulnerabilities (e.g., EternalBlue/MS17-010, and other SMB-related exploits). You select the target and exploit module, set options (RHOST, payload, etc.), and run the exploit to gain access. It is the standard tool for exploiting known SMB (and other) vulnerabilities in a controlled way. Nmap (A) can *detect* SMB and run scripts (e.g., vuln checks), but it is not primarily an exploitation tool for --gaining access-- via SMB exploits. Wireshark (C) is for traffic analysis. John the Ripper (D) is for password/hash cracking. For exploiting a known SMB vulnerability to gain access, Metasploit is the most appropriate tool.

4. Question 4

   While performing a security assessment, you suspect that a system has been compromised by a rootkit. What is the most effective method to confirm your suspicion?
   1. A. Check the running processes for any unusual activity.
   2. B. Use a rootkit detection tool from a known trusted source.
   3. C. Reboot the system and perform a normal virus scan.
   4. D. Disconnect the system from the network and watch for changes.
   Explanation

   The correct answer is: B. Use a rootkit detection tool from a known trusted source..

   Rootkits are malware that hide themselves and other artifacts by hooking into the OS (e.g., kernel, system calls, process list). Normal process lists and file listings can be manipulated by the rootkit, so checking running processes (A) alone is unreliable--the rootkit may hide its processes. The most effective method to confirm a rootkit is to use a rootkit detection tool from a known trusted source (B)--e.g., RootkitRevealer, GMER, or similar--that runs with sufficient privileges and uses techniques (e.g., cross-view comparison, raw disk/API comparison) to find inconsistencies that indicate rootkit behavior. Rebooting and running a normal virus scan (C) may miss kernel-level or persistent rootkits. Disconnecting and watching (D) does not confirm a rootkit. Specialized rootkit detection from a trusted source is the correct approach.

5. Question 5

   During a penetration test, you want to maintain access to a compromised machine after a reboot. Which approach should you take?
   1. A. Change the user's password
   2. B. Install a rootkit
   3. C. Initiate a SYN flood
   4. D. Perform a DNS spoofing attack
   Explanation

   The correct answer is: B. Install a rootkit.

   Maintaining access after a reboot requires a persistence mechanism--something that survives reboots and restores access. Installing a rootkit (B) (or a backdoor that the question may treat under the same idea) can provide persistence: rootkits often include components that run at boot (e.g., via registry, scheduled tasks, or kernel drivers) so that access is restored after restart. Changing the user--s password (A) gives you their credentials but does not by itself --maintain access-- in the sense of a mechanism that survives reboot; if you only change the password and have no persistent backdoor, you still have the account but the question is about *maintaining* access as a post-exploitation step, which is typically done via persistence (rootkit/backdoor). SYN flood (C) and DNS spoofing (D) are network attacks and do not create persistence on the machine. In the CEH/system hacking context, maintaining access after reboot is achieved through persistence mechanisms such as rootkits (or backdoors, scheduled tasks, etc.); B is the answer that describes such a mechanism.

Other Certified Ethical Hacker (CEH) domains

• Cloud Computing (10 questions)
• Cryptography (14 questions)
• Information Security and Ethical Hacking Overview (33 questions)
• Mobile, IOT and OT Hacking (14 questions)
• Network and Perimeter Hacking (47 questions)
• Reconnaissance Techniques (24 questions)
• Web Application Hacking (44 questions)
• Wireless Network Hacking (27 questions)