Certified Ethical Hacker (CEH) (312-50) Sample Questions

  1. Home
  2. Certified Ethical Hacker (CEH) (312-50) Sample Questions
Certified Ethical Hacker (CEH) (312-50) Sample Questions

The best ethical hacking training available to help information security professionals grasp ethical hacking’s principles is the Certified Ethical Hacker (CEH) EC-council programme. The results of the hacking course assist the candidates in becoming professionals who consistently work to scan network infrastructures with the owner’s permission in order to uncover security flaws that a malevolent hacker might potentially exploit. A cybersecurity expert can learn penetration testing by taking the CEH, ECSA, and APT courses, which together make up a sequence of three comprehensive courses. The purpose of this course is to equip the candidate with the tools and methods that information security experts and hackers alike use to breach an organisation. The article provides a list of Certified Ethical Hacker (CEH) (312-50) Sample Questions that cover core exam topics including –

  • Introduction to Ethical Hacking
  • Footprinting and Reconnaissance
  • Scanning
  • Networks Enumeration
  • System Hacking 
  • Malware Threats
  • Sniffing
  • Social Engineering
  • Denial of Service
  • Session Hijacking
  • Hacking Web servers
  • Hacking Web Applications
  • SQL Injection 
  • Hacking Wireless Networks
  • Hacking Mobile Platforms
  • Evading IDS, Firewalls, and Honeypot
  • Cloud Computing 
  • Cryptography

Advanced Sample Questions

What is the purpose of footprinting in a hacking attempt?

Footprinting is the initial step in a hacking attempt where the attacker tries to gather as much information as possible about the target system or network. The purpose of footprinting is to gather information about the target to understand its vulnerabilities, identify the network topology, and gather information about the target’s security measures.

This information is used to determine the best approach for the attack. For example, an attacker can use footprinting to determine the type of operating system, web server, and applications that are running on the target system. This information is critical in determining which exploits or tools to use in the attack.

Footprinting can be performed using various methods such as social engineering, search engine reconnaissance, WHOIS lookups, and network scans. The information collected during the footprinting phase is used to develop a comprehensive attack plan that is tailored to the target’s specific vulnerabilities.

In summary, the purpose of footprinting in a hacking attempt is to gather information about the target system or network in order to identify its vulnerabilities and plan an effective attack. Footprinting provides the attacker with the critical information necessary to launch a successful attack.

How does a hacker use a network mapper tool such as Nmap?

Nmap (Network Mapper) is a popular open-source tool used by hackers and security professionals to perform network discovery, mapping, and security auditing. The tool is used to scan a target network and identify the hosts and services running on it, along with their respective details such as IP address, operating system, open ports, and vulnerabilities.

Here is how a hacker might use Nmap:

  1. Host Discovery: Nmap can be used to identify the hosts on a network by sending various types of packets to the target network and analyzing the responses. This information can be used to determine the live hosts on a network, the IP addresses they are using, and the type of devices they are.
  2. Port Scanning: Nmap can be used to scan the target network for open ports. This information can be used by the hacker to identify the services running on the target system and determine if there are any vulnerabilities associated with them.
  3. Service and Version Detection: Nmap can be used to identify the type of services running on a target system and the version of those services. This information can be used by the hacker to determine if there are any known vulnerabilities associated with the services and take advantage of them.
  4. Operating System Detection: Nmap can be used to determine the operating system used by the target system. This information can be used by the hacker to determine the types of exploits that are relevant for the target system and to tailor their attack accordingly.
  5. Vulnerability Scanning: Nmap can be used in combination with various scripts and plugins to perform vulnerability scans. This can help the hacker identify known vulnerabilities in the target system and take advantage of them.

It’s important to note that while Nmap can be used for malicious purposes, it is also a valuable tool for security professionals to assess their network’s security and identify potential vulnerabilities that need to be addressed.

What is the difference between a white hat hacker and a black hat hacker?

White hat hackers and black hat hackers are terms used to describe two types of computer security experts.

White hat hackers are ethical hackers who use their skills for the benefit of organizations and individuals. They work to identify and resolve security vulnerabilities in order to prevent cyber attacks and data breaches. They are often hired by companies to perform penetration testing or security audits.

Black hat hackers, on the other hand, use their skills for malicious purposes. They engage in illegal activities such as stealing sensitive data, breaking into computer systems, and spreading malware. They often use their skills to make money through extortion, identity theft, and other criminal activities.

In summary, white hat hackers use their skills to help protect and secure systems, while black hat hackers use their skills to exploit and damage systems.

What is the most common type of password attack?

A brute force attack is a type of attack where the attacker tries to guess the password by systematically trying all possible combinations of characters until they find the correct one. The attacker uses automated software to try every possible combination of letters, numbers, and symbols until they arrive at the correct password.

This type of attack is effective because many people use weak passwords that are easily guessable, such as “123456,” “password,” or their own name. The attacker can also use lists of commonly used passwords or words found in dictionaries, making the process even easier.

It is important for individuals and organizations to protect themselves from brute force attacks by using strong passwords and regularly changing them. Additionally, multi-factor authentication and other security measures can provide added protection against these types of attacks.

What is a man-in-the-middle attack and how is it executed?

A man-in-the-middle (MITM) attack is a type of cyber attack where a malicious actor intercepts and alters communication between two parties. The attacker can eavesdrop, manipulate, and even block the transmission of sensitive information.

A MITM attack is executed by positioning the attacker between two communicating parties and intercepting their communication. The attacker can then alter, modify or falsify the information being transmitted.

Here’s an example of how a MITM attack is executed:

  1. The attacker sets up a fake wireless access point that appears legitimate to the victims.
  2. The victims then connect to the fake access point and start transmitting sensitive information, such as login credentials, financial information, etc.
  3. The attacker intercepts the data being transmitted and modifies it before forwarding it to the intended recipient.
  4. The recipient receives the manipulated information and acts on it, unaware of the modifications made by the attacker.

MITM attacks are possible because of the lack of encryption in the communication between two parties. To prevent these attacks, it is important to use secure communication protocols that use encryption and authentication mechanisms. Additionally, it is important to be cautious when connecting to public Wi-Fi networks and to use virtual private networks (VPNs) whenever possible.

What is a buffer overflow attack and how does it work?

A buffer overflow attack is a type of cyber attack that occurs when a program tries to store more data in a buffer (a temporary storage area in memory) than the buffer can hold. This causes data to overflow into adjacent memory locations and corrupt or overwrite valid data.

The attacker takes advantage of this vulnerability by sending a large amount of data to the program’s buffer, which causes it to overflow and disrupt the normal functioning of the program. The attacker can then execute malicious code or alter the program’s behavior by manipulating the data stored in the buffer.

The attack works in several stages:

  1. Discovery: The attacker must first identify a vulnerable program with a buffer that is not properly protected. This can be done by examining the program’s code or by using scanning tools to search for vulnerabilities.
  2. Exploitation: Once the vulnerable program has been identified, the attacker sends a large amount of data to the buffer, causing it to overflow.
  3. Injection: The attacker then injects their malicious code into the buffer, which is executed when the program accesses the buffer.
  4. Execution: The attacker’s malicious code is executed, which can lead to unauthorized access, data theft, or other malicious activities.

Buffer overflow attacks can be prevented by implementing proper buffer management techniques, such as checking the size of incoming data and using safe programming languages and libraries that have built-in protection against buffer overflows. Regular software updates and security patches are also important to prevent buffer overflow attacks.

What is social engineering and how can it be used to gain access to a system or network?

Social engineering is a technique that utilizes psychological and sociological tactics to manipulate people into divulging confidential information, making them perform actions, or causing them to divulge their passwords or install malicious software. The goal is to trick individuals into divulging information or doing something they wouldn’t do otherwise, allowing an attacker to gain unauthorized access to a system or network.

Social engineering can be used to gain access to a system or network in several ways. Some of the most common methods include:

  1. Phishing: This is a type of social engineering attack that involves sending an email or message that appears to be from a trustworthy source, such as a bank, a government agency, or a well-known company. The message often asks the recipient to enter their personal or financial information, or to click on a malicious link that installs malware on their computer.
  2. Pretexting: Pretexting is when an attacker creates a false scenario to trick someone into giving them access to sensitive information. For example, an attacker may call a company pretending to be a vendor who needs to access the network to install new software.
  3. Baiting: Baiting is a type of social engineering attack where an attacker leaves a physical object, such as a USB drive, in a public place with a tempting message that encourages people to pick it up and plug it into their computer. When the user plugs in the USB drive, malware is installed on their computer, giving the attacker access to the system or network.
  4. Tailgating: Tailgating is when an attacker gains unauthorized access to a building or a secure area by following an authorized person. This can also be accomplished remotely, where an attacker sends an email or message claiming to be from an authoritative figure and asking for confidential information or access to a system.

Social engineering attacks are highly effective because they rely on human behavior, rather than technical vulnerabilities, to gain access to systems and networks. Therefore, it is important for individuals and organizations to be aware of these tactics and to implement security measures to protect against social engineering attacks.

What is the purpose of a rootkit and how does it differ from a virus or worm?

A rootkit is a type of malicious software that is designed to hide the presence of other malware on a computer system. It operates at the root or administrative level of the operating system, giving it complete control over the system and making it difficult for antivirus and other security software to detect. The purpose of a rootkit is to allow an attacker to maintain undetected access to a compromised system and to use it for various malicious activities, such as data theft, unauthorized remote control, or distribution of spam.

The difference between a rootkit and a virus or worm is that a rootkit is not self-replicating, meaning it does not spread itself from one system to another. Instead, it is typically installed manually by an attacker who has already gained access to the system. A virus, on the other hand, is a type of malware that infects a system by attaching itself to other files and programs and replicating itself across networks and systems. A worm is similar to a virus in that it replicates itself, but it is designed to spread rapidly through networks and the Internet, rather than through individual systems.

In conclusion, a rootkit is a type of malware that is designed to hide the presence of other malicious software on a computer system and give an attacker undetected access to it, while a virus is a type of malware that infects a system by replicating itself and spreading from one system to another, and a worm is a type of malware that replicates itself rapidly through networks and the Internet.

What is the importance of cryptography in information security?

Cryptography is an essential component of information security as it provides the means to secure sensitive information and protect it from unauthorized access. The importance of cryptography in information security can be highlighted in the following ways:

  1. Confidentiality: Cryptography helps to maintain the confidentiality of sensitive information by transforming it into a secure code that is unreadable without the proper decryption key. This helps to prevent unauthorized access to sensitive information such as financial transactions, personal information, and confidential business data.
  2. Data Integrity: Cryptography provides data integrity by detecting any changes made to the original message during transmission. This ensures that the data received is the same as the data that was sent, thus protecting against tampering and data corruption.
  3. Authentication: Cryptography is also used for authentication purposes, as it allows for secure communication between two parties. This helps to ensure that the message is from the intended sender and that it has not been altered during transmission.
  4. Non-Repudiation: Cryptography helps to prevent data from being denied or disputed by the sender. This is achieved through the use of digital signatures and digital certificates, which provide proof of the sender’s identity and can be used in legal proceedings if necessary.
  5. Protection against cyber attacks: Cryptography helps to protect against cyber attacks by providing secure communication channels and ensuring that sensitive data is protected. This helps to prevent cyber criminals from accessing sensitive information and compromising information security.

In conclusion, cryptography plays a critical role in maintaining the security and confidentiality of sensitive information. Its importance cannot be overstated as it helps to protect sensitive information from unauthorized access, tampering, and cyber attacks, ensuring the confidentiality and integrity of data.

What is the difference between active and passive reconnaissance in a hacking attempt?

Active reconnaissance and passive reconnaissance are two different methods used by hackers to gather information about a target system, network, or website. The main difference between the two lies in the level of interactivity with the target.

Active reconnaissance involves actively interacting with the target system or network. This type of reconnaissance is usually more intrusive and can cause damage to the target. Examples of active reconnaissance include port scanning, vulnerability scanning, and penetration testing. Active reconnaissance can cause the target to detect the attacker’s presence, and as a result, trigger security measures such as intrusion detection systems or firewalls.

Passive reconnaissance, on the other hand, does not interact with the target. Instead, it relies on publicly available information about the target, such as its domain name, IP address, and open ports. Passive reconnaissance includes techniques such as social engineering, search engine optimization, and network sniffing. Passive reconnaissance is less intrusive and less likely to trigger security measures, but it also provides less comprehensive information about the target.

In conclusion, active reconnaissance is a more intrusive and direct method of gathering information about a target, while passive reconnaissance is a less intrusive and indirect method that relies on publicly available information. Both methods have their strengths and weaknesses, and the choice of which to use depends on the goals and requirements of the attacker.

Basic Sample Questions

Q1) Which of the following is a necessary piece of hardware for an IDS/IPS system or a proxy server to operate properly?

  • A. Fast processor to help with network traffic analysis
  • B. They must be dual-homed
  • C. Similar RAM requirements
  • D. Fast network interface cards

Correct Answer:  They must be dual-homed

Explanation: An Ethernet device with multiple network interfaces for redundancy is referred to as dual-homed or dual-homing. In the context of firewall technology, dual-homed refers to one of the firewall architectures, such as an IDS/IPS system, for implementing preventive security.

Q2) The replication of which of the following applications requires a host application?

  • A. Micro
  • B. Worm
  • C. Trojan
  • D. Virus

Correct Answer: Virus

Explanation: On their hosts, computer viruses affect a wide range of different subsystems. A computer virus is a type of malicious software that, when run, reproduces itself or infects other programmes by altering them. Data files or the boot sector of the hard drive can also infect computer programmes. The impacted areas are referred to as being “infected” when this replication is successful.

Q3) A security expert is tasked with assessing the potential risks for a large corporation that plans to employ Blackberry for corporate mobile phones. The analyst will illustrate how an attacker could get past perimeter security and penetrate the corporate network using the Blackjacking attack technique. What instrument ought the analyst to employ when conducting a Blackjacking attack?

  • A. Paros Proxy
  • B. BBProxy
  • C. BBCrack
  • D. Blooover

Correct Answer: BBProxy

Exaplantion: Threat from hacking tools cautioned to Blackberry users. Users have been alerted that this week’s release of a new hacking tool puts the security of Blackberry wireless e-mail devices at jeopardy. Businesses that have deployed Blackberry servers behind their gateway security devices may be subject to a hacking attempt from a programme called BBProxy, according to Secure Computing Corporation.

Q4) Which of the following actions can an administrator take to confirm that a tape backup can be fully recovered?

  • A. Restore a random file.
  • B. Perform a full restore.
  • C. Read the first 512 bytes of the tape.
  • D. Read the last 512 bytes of the tape.

Correct Answer: Perform a full restore.

Q5) Which of the following best sums up a boot sector virus’s traits?

  • A. copies itself to the MBR’s original position and moves the MBR to a different location on the RAM.
  • B. Transfers the MBR to a different location on the hard drive and replicates itself there.
  • C. Overwrites the existing MBR and only runs the new viral code 
  • D. Modifies directory table entries so that directory entries link to the virus code rather than the actual software

Correct Answer: Transfers the MBR to a different location on the hard drive and replicates itself there.

Q6)Which claim about network firewalls preventing Web application assaults is TRUE?

  • A. Attacks can be stopped by network firewalls because they can identify malicious HTTP traffic.
  • B. Because ports 80 and 443 need to be opened, network firewalls cannot stop assaults.
  • C. If configured correctly, network firewalls can stop attacks.
  • D. Network firewalls can’t stop assaults because setting them up is too difficult.

Correct Answer: Because ports 80 and 443 need to be opened, network firewalls cannot stop assaults.
Explanation: In a relatively low level of the TCP/IP protocol stack, network layer firewalls, also known as packet filters, prevent packets from passing through the firewall unless they comply with the established rule set. An application layer firewall would be necessary to stop Web application attacks.

Q7) Which of the following applications typically targets Microsoft Office software?

  • A. Polymorphic virus
  • B. Multipart virus
  • C. Macro virus
  • D. Stealth virus

Correct Answer: Macro Virus

Explanation: A macro virus is a virus that is coded in a programming language called macro, which is integrated into a software programme (e.g., word processors and spreadsheet applications). Some software products, like Microsoft Office, allow macro programmes to be inserted in documents so that they run automatically when the document is opened. This creates a unique method for the distribution of malicious computer code.

Q8) Which digital modulation method does Bluetooth employ for information transfer between linked devices?

  • A. PSK (phase-shift keying)
  • B. FSK (frequency-shift keying)
  • C. ASK (amplitude-shift keying)
  • D. QAM (quadrature amplitude modulation)

Correct Answer: PSK (phase-shift keying)

Explanation: Phase shift keying is a type of Bluetooth modulation that enables Bluetooth 2 EDR’s greater data speeds (Enhanced Data Rate). There are two PSK variations used: /4 DQPSK and 8DPSK.

Q9) What must be produced in order to demonstrate security improvement over time?

  • A. Reports
  • B. Testing tools
  • C. Metrics
  • D. Taxonomy of vulnerabilities

Correct Answer: Metrics

Exaplantion: Management now needs analytics to gain a better understanding of security. However, metrics that assess participation, efficacy, and window of exposure provide data the organisation may utilise to improve plans and programmes.

Q10) Which of the following methods is used for passive reconnaissance information gathering?

  • A. Social engineering
  • B. Network traffic sniffing
  • C. Man in the middle attacks
  • D. Publicly accessible sources

Correct Answer: Publicly accessible sources

Q11) How might one defeat rainbow tables?

  • A. Password salting
  • B. Use of non-dictionary words
  • C. All uppercase character passwords
  • D. Lockout accounts under brute force password cracking attempts

Correct Answer: Password salting

Q12) Port 25 is open on a server, according to an NMAP scan. What danger might this bring?

  • A. Open printer sharing
  • B. Web portal data leak
  • C. Clear text authentication
  • D. Active mail relay

Correct Answer: Active mail relay

Q13) What kind of OS fingerprinting approach examines the answer received after sending specially constructed packets to the distant OS?

  • A. Passive
  • B. Reflective
  • C. Active
  • D. Distributive

Correct Answer: Active

Q14) Which of the lists below is an acceptable method for obtaining information for a risk assessment?

  • A. Threat identification, vulnerability identification, control analysis
  • B. Threat identification, response identification, mitigation identification
  • C. Attack profile, defense profile, loss profile
  • D. System profile, vulnerability identification, security determination

Correct Answer: Threat identification, vulnerability identification, control analysis

Q15) To evaluate the risks associated with a company’s DMZ, a penetration tester is employed. The penetration test must be conducted according to the rules of engagement from an external IP address without any prior knowledge of the internal IT systems. What kind of examination is being conducted?

  • A. white box
  • B. grey box
  • C. red box
  • D. black box

Correct Answer: black box

Q16) Which of the following is a control for a detective?

  • A. Smart card authentication
  • B. Security policy
  • C. Audit trail
  • D. Continuity of operations plan

Correct Answer: Audit trail

Q17) Which of the following constitutes a risk assessment component in Certified Ethical Hacker (CEH) (312-50)?

  • A. Physical security
  • B. Administrative safeguards
  • C. DMZ
  • D. Logical interface

Correct Answer: Administrative safeguards

Q18) Which of the following strategies would be most useful for identifying whether end-user security training would be beneficial when using technical assessment methodologies to evaluate the security posture of a network in Certified Ethical Hacker (CEH) (312-50)?

  • A. Vulnerability scanning
  • B. Social engineering
  • C. Application security testing
  • D. Network sniffing

Correct Answer: Social engineering

Q19) A business has a firewall-protected internal intranet and externally hosted web apps. Which method will aid in preventing enumeration in Certified Ethical Hacker (CEH) (312-50)?

  • A. Reject all invalid email received via SMTP.
  • B. Allow full DNS zone transfers.
  • C. Remove A records for internal hosts.
  • D. Enable null session pipes.

Correct Answer: Remove A records for internal hosts.

Q20) Which of the following methods can be used to determine whether computer files have changed in Certified Ethical Hacker (CEH) (312-50)?

  • A. Network sniffing
  • B. Permission sets
  • C. Integrity checking hashes
  • D. Firewall alerts

Correct Answer: Integrity checking hashes

CEH 312-50: Certified Ethical Hacker fre practice test
Menu