CEH Exam Prep Free practice test →

Free CEH Practice Questions

10 free, exam-style Certified Ethical Hacker (CEH) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CEH practice test to study every exam domain.

Question 1

A penetration tester runs the following Nmap command against a target host: `nmap -sX 192.168.1.50`. The scan reports port 80 as `open|filtered`. Which of the following is the MOST accurate interpretation of this result?

  1. Port 80 is confirmed open and an HTTP service is responding to the FIN, PSH, and URG flags
  2. The target host returned an RST packet, indicating the port is closed but unfiltered
  3. The target sent no response, which on an Xmas scan indicates the port is either open or filtered by a firewall
  4. The target returned an ICMP Type 3 Code 3 message, confirming the port is closed
Show answer & explanation

Correct answer: C - The target sent no response, which on an Xmas scan indicates the port is either open or filtered by a firewall

Question 2

During an internal assessment, a tester runs `macof` on a switched network and observes that the switch begins forwarding all frames to every port. What has occurred, and why does this attack succeed?

  1. ARP cache poisoning - the switch's ARP table has been overwritten with attacker-controlled mappings
  2. CAM table overflow - the switch's MAC address table is exhausted, causing it to fail open and behave like a hub
  3. DHCP starvation - the DHCP pool has been depleted, forcing the switch into broadcast mode
  4. STP root bridge takeover - the attacker's device has been elected root and is now forwarding all VLAN traffic
Show answer & explanation

Correct answer: B - CAM table overflow - the switch's MAC address table is exhausted, causing it to fail open and behave like a hub

Question 3

A red team operator has compromised a low-privileged domain user account. They request a Kerberos service ticket for an account with a registered Service Principal Name (SPN), then crack the encrypted portion offline using Hashcat with mode 13100. Which Active Directory attack is being performed?

  1. AS-REP Roasting
  2. Golden Ticket attack
  3. Kerberoasting
  4. Pass-the-Ticket
Show answer & explanation

Correct answer: C - Kerberoasting

Question 4

A developer's web application contains the following JavaScript: `document.getElementById('welcome').innerHTML = 'Hello, ' + location.hash.substring(1);`. An attacker crafts a URL ending in `#<img src=x onerror=alert(document.cookie)>`. The server logs do not show the payload because the fragment is never sent to the server. Which type of XSS is this?

  1. Reflected XSS
  2. Stored XSS
  3. DOM-based XSS
  4. Blind XSS
Show answer & explanation

Correct answer: C - DOM-based XSS

Question 5

During a security review of a legacy web application, a tester discovers the server still supports SSLv3 and uses CBC-mode cipher suites. Which specific attack does this configuration enable, and what is the underlying flaw?

  1. Heartbleed - the OpenSSL heartbeat extension leaks process memory contents
  2. POODLE - the SSLv3 specification does not validate CBC padding bytes, allowing byte-by-byte plaintext recovery
  3. FREAK - the server can be downgraded to RSA_EXPORT-grade keys that are factorable in real time
  4. DROWN - the SSLv2 protocol can be used as a Bleichenbacher oracle against modern TLS sessions
Show answer & explanation

Correct answer: B - POODLE - the SSLv3 specification does not validate CBC padding bytes, allowing byte-by-byte plaintext recovery

Question 6

A penetration tester needs to scan a host behind a stateless packet-filtering firewall that drops all inbound packets without an established connection. The tester wants to determine whether the firewall has a rule allowing port 443. Which Nmap scan type is BEST suited to this task, and what response indicates the rule exists?

  1. TCP Connect scan (-sT); a successful three-way handshake confirms the rule
  2. TCP ACK scan (-sA); receiving an RST response classifies the port as 'unfiltered', indicating the firewall is permitting ACK packets through
  3. UDP scan (-sU); silence on port 443 indicates `open|filtered` and confirms the rule
  4. TCP SYN scan (-sS) with -Pn; any response other than ICMP unreachable confirms the rule
Show answer & explanation

Correct answer: B - TCP ACK scan (-sA); receiving an RST response classifies the port as 'unfiltered', indicating the firewall is permitting ACK packets through

Question 7

An ethical hacker discovers a Windows Server 2003 system on a legacy network segment and successfully executes the command `net use \\10.0.0.50\IPC$ "" /user:""`. Which of the following accurately describes what occurred and the security implication?

  1. An anonymous SMB null session was established, potentially allowing enumeration of users, shares, and group memberships without credentials
  2. An RDP session was opened over port 3389 using cached domain credentials
  3. The attacker authenticated to NetBIOS over TCP using the local Administrator account with a blank password
  4. A reverse shell was established via the IPC$ administrative share
Show answer & explanation

Correct answer: A - An anonymous SMB null session was established, potentially allowing enumeration of users, shares, and group memberships without credentials

Question 8

A web application returns the same HTML response for both `id=1` and `id=1'`. However, when the tester submits `id=1' AND SLEEP(5)-- -`, the response takes approximately 5 seconds to return; with `id=1' AND SLEEP(0)-- -`, it returns immediately. Which SQL injection technique is confirmed, and why is it required here?

  1. UNION-based SQLi - the tester is using SLEEP() to enumerate column counts
  2. Error-based SQLi - the database is leaking timing information through verbose errors
  3. Time-based blind SQLi - the application does not return errors or visibly different content, so the only side channel for confirming injection is response delay
  4. Out-of-band SQLi - SLEEP() forces the database to make a DNS callback to the attacker
Show answer & explanation

Correct answer: C - Time-based blind SQLi - the application does not return errors or visibly different content, so the only side channel for confirming injection is response delay

Question 9

A penetration tester identifies a Server-Side Request Forgery (SSRF) vulnerability in a web application hosted on an AWS EC2 instance. Which of the following requests, if successful, would indicate the MOST severe impact and replicate the technique used in the 2019 Capital One breach?

  1. `http://localhost:8080/admin` - accessing an internal admin panel bound to the loopback interface
  2. `http://169.254.169.254/latest/meta-data/iam/security-credentials/` - retrieving temporary IAM credentials from the EC2 Instance Metadata Service
  3. `file:///etc/passwd` - reading the local system password file via the file:// scheme
  4. `gopher://internal-redis:6379/_FLUSHALL` - sending arbitrary commands to an internal Redis instance
Show answer & explanation

Correct answer: B - `http://169.254.169.254/latest/meta-data/iam/security-credentials/` - retrieving temporary IAM credentials from the EC2 Instance Metadata Service

Question 10

An auditor is performing reconnaissance on an industrial control network and uses Shodan with the filter `port:502`. Which protocol is being targeted, and what is the primary security concern with the discovered systems?

  1. DNP3 - encrypted by default, but vulnerable to replay attacks if sequence numbers are predictable
  2. Siemens S7Comm - the protocol used by Stuxnet to inject malicious ladder logic into PLCs
  3. Modbus TCP - the protocol has no built-in authentication or encryption, so any network-reachable client can read or write coils and registers
  4. OPC UA - a modern protocol with strong cryptographic protections, used for IoT-to-cloud telemetry
Show answer & explanation

Correct answer: C - Modbus TCP - the protocol has no built-in authentication or encryption, so any network-reachable client can read or write coils and registers

Ready for the real thing?

Practice hundreds more CEH questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing