CEH v13 Domain 4.1 Practice Test 002

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 1 (Sniffing) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 4.1 Practice Test 002

10 questions • 8 single-answer, 2 multi-select

Question 1

A penetration tester conducting an internal network assessment on a switched enterprise network intercepts traffic between two hosts by sending gratuitous ARP replies that associate her own MAC address with the IP addresses of both the gateway and a target workstation. Captured credentials flow through her Wireshark session as traffic is transparently forwarded between the two endpoints. Which attack technique did the penetration tester execute?

A. MAC flooding — the tester overwhelmed the CAM table of the switch with fake MAC addresses, forcing it into hub mode and broadcasting all frames to every port on the segment B. ARP poisoning — the tester sent forged ARP replies to both the gateway and target host, mapping her MAC address to their IP addresses and inserting herself as a man-in-the-middle C. DHCP starvation — the tester exhausted the DHCP server's address pool with spoofed DISCOVER messages, then issued rogue lease information pointing to her host as the default gateway D. DNS cache poisoning — the tester injected forged DNS resource records into the internal resolver's cache to redirect the target's domain queries to a malicious IP address

Question 2

Kevin, targeting a corporate LAN, uses macof to flood a core switch with thousands of frames containing random source MAC addresses until the switch's Content Addressable Memory table is completely exhausted. Once the CAM table overflows, the switch begins broadcasting all incoming frames out every port rather than forwarding them only to the intended destination. What is the primary objective of Kevin's attack?

A. To permanently damage the switch hardware by triggering a memory overflow that corrupts the switch firmware and requires a full factory reset to restore service B. To force the switch to behave like a hub so that Kevin's network interface receives unicast frames intended for other hosts, enabling him to sniff their traffic C. To trigger a Spanning Tree Protocol topology change that designates Kevin's host as the root bridge, rerouting all inter-VLAN traffic through his segment D. To exhaust the switch's ARP cache so that subsequent ARP requests from legitimate hosts are silently dropped and inter-subnet communication is disrupted

Question 3

A network analyst explains to a junior colleague that sniffing on a hub-based network requires no packet injection because all traffic is broadcast to every connected port by default. On a switched network, however, the analyst notes that techniques such as ARP poisoning or MAC flooding must be used to redirect traffic to the attacker's interface before it can be captured. Which statement correctly distinguishes passive sniffing from active sniffing?

A. Passive sniffing injects forged ARP replies to redirect switched traffic through the attacker's interface, while active sniffing captures broadcast traffic without any packet injection on hub networks B. Passive sniffing captures traffic without injecting packets and is most effective on shared or hub-based networks, while active sniffing uses injection techniques such as ARP poisoning or MAC flooding to redirect traffic on switched networks C. Passive sniffing requires placing the network card in promiscuous mode on a switched network to intercept unicast frames, while active sniffing requires physical access to the switch's SPAN or mirror port D. Passive sniffing and active sniffing are equally effective on switched networks, but passive sniffing is limited to capturing only broadcast and multicast traffic regardless of network topology

Question 4

Jane executes a DHCP starvation attack against an enterprise network by flooding the DHCP server with DISCOVER messages using thousands of spoofed MAC addresses, exhausting the entire available address pool. She then stands up her own rogue DHCP server and begins responding to new client DISCOVER requests with IP configuration that designates her host as the default gateway. What is the ultimate goal of Jane's two-phase attack?

A. To cause a sustained denial of service by preventing all existing and new hosts from obtaining valid IP addresses, making the network permanently unavailable until the DHCP lease pool is manually cleared B. To position herself as a man-in-the-middle by starving the legitimate DHCP server and then issuing fraudulent lease information that routes all victim outbound traffic through her host C. To bypass 802.1X port-based authentication by registering spoofed MAC addresses in the DHCP server that match entries in the network access control policy for authorized devices D. To exhaust the switch's CAM table with the same spoofed MAC addresses used in the DHCP starvation phase, forcing the switch into hub mode to enable passive sniffing

Question 5

A security analyst opens a packet capture file and immediately applies the display filter 'http.request.method == POST' to isolate web form submissions containing potential cleartext credentials. The tool's protocol dissection engine decodes each captured session layer by layer, displaying structured field values for HTTP headers, cookies, and POST body parameters. Which network analysis tool is the analyst using?

A. Nmap — a network discovery and port scanning tool that probes remote hosts with crafted packets to enumerate open ports, running services, and OS versions across a target subnet B. Wireshark — a graphical packet capture and protocol analyzer that reads live traffic or pcap files, applies display filters, and provides deep dissection of hundreds of network protocols C. Metasploit Framework — a penetration testing platform that provides exploit modules, payloads, and post-exploitation capabilities for attacking and maintaining access to compromised systems D. Burp Suite — a web application security testing proxy that intercepts HTTP and HTTPS traffic between a browser and server to facilitate manual inspection and manipulation of web requests

Question 6

An enterprise security team investigating a wave of user redirections to fraudulent banking sites discovers that an internal DNS resolver began returning attacker-controlled IP addresses for legitimate financial domains after an on-path attacker on the same LAN segment sent forged UDP responses that arrived before the legitimate authoritative server's replies. The resolver accepted the forged records because it lacked source port randomization and DNSSEC validation, and the fraudulent entries persisted in cache until their TTL expired. Which attack did the enterprise network suffer?

A. ARP poisoning — an attacker sent gratuitous ARP replies that corrupted the gateway's ARP cache, redirecting all DNS query traffic through the attacker's host before it reached the authoritative server B. DNS cache poisoning — an attacker injected forged DNS resource records into the resolver's cache, causing it to serve attacker-controlled IP addresses for legitimate domain queries until the records expired C. BGP hijacking — an attacker announced more specific IP prefixes for the financial institution's address space, rerouting Internet-bound DNS query traffic at the routing-protocol level through attacker-controlled infrastructure D. HTTP response splitting — an attacker injected malicious headers into HTTP responses to manipulate the browser's cache and transparently redirect users to a fraudulent web server

Question 7

Select all that apply

Elijah, a security engineer, discovers that an attacker inside the corporate LAN executed a successful ARP poisoning campaign that redirected executive traffic through a rogue host for three days without detection. Elijah is tasked with implementing controls that will prevent this class of attack from recurring on the organization's Cisco switched infrastructure. Which TWO controls should Elijah implement to mitigate ARP poisoning on the switched network? (Choose two)

A. Enable Dynamic ARP Inspection (DAI) on all access-layer switches to validate ARP packets against the DHCP snooping binding table and drop ARP replies with unverified MAC-to-IP mappings B. Deploy a network intrusion detection system in inline blocking mode with signatures tuned to detect high volumes of ICMP echo requests originating from a single host on the LAN segment C. Enable DHCP snooping on all untrusted access ports to build a binding table of legitimate MAC-to-IP-to-port mappings that Dynamic ARP Inspection can reference when validating ARP traffic D. Increase the Spanning Tree Protocol hello timer interval on all switches to slow topology change notifications and reduce the frequency of CAM table flushes triggered by network events E. Implement 802.11w Management Frame Protection on all wireless access points to encrypt deauthentication and disassociation management frames against wireless client spoofing attacks

Question 8

Clark is conducting a red team exercise and crafts raw Ethernet frames with a spoofed source MAC address belonging to the organization's default gateway router, sending these frames to hosts on the target VLAN to corrupt their ARP caches and impersonate the gateway. Hosts update their ARP tables and begin forwarding all outbound traffic to Clark's interface, which he transparently proxies after capturing credentials with Wireshark. What category of active sniffing technique did Clark employ?

A. Passive sniffing — Clark configured his network interface card in promiscuous mode on the switched segment to capture all broadcast and multicast frames without injecting any packets B. ARP poisoning — Clark sent forged Ethernet frames that spoofed the gateway's MAC address to corrupt the ARP caches of target hosts, positioning his interface as the man-in-the-middle for all their outbound traffic C. DHCP starvation — Clark flooded the DHCP server with DISCOVER messages using spoofed MAC addresses to exhaust the address pool and prevent legitimate hosts from obtaining network configuration D. DNS cache poisoning — Clark sent forged DNS responses to the internal resolver to redirect target hosts' domain-based traffic to his server without modifying any ARP or MAC address mappings

Question 9

A security analyst suspects that an insider threat has deployed a packet sniffer on the internal network by placing a host's NIC in promiscuous mode to capture all traffic crossing the segment. The analyst crafts a specially formed ICMP echo request with a valid destination IP address but an incorrect unicast destination MAC address that does not match the target host, reasoning that a host with a normal NIC driver would discard the frame while a host in promiscuous mode would pass it to the IP stack and respond. Which detection technique is the analyst applying?

A. ARP watch monitoring — the analyst is tracking the rate of ARP replies broadcast on the network segment to identify hosts sending gratuitous ARP packets at frequencies consistent with an ARP poisoning attack B. Promiscuous mode detection — the analyst is sending a frame that a NIC with filtering enabled would drop at the hardware level but a promiscuous NIC would accept and process, using the resulting ICMP reply to identify the sniffer C. Active port scanning — the analyst is running an Nmap SYN scan against all hosts on the subnet to enumerate unauthorized open ports that indicate a packet capture or sniffing service is running D. Bandwidth baseline anomaly analysis — the analyst is comparing current segment utilization against historical traffic baselines to identify statistically significant spikes consistent with bulk packet capture activity

Question 10

Select all that apply

A newly appointed network security architect at a financial institution audits the organization's defenses against sniffing attacks and discovers that administrative sessions use Telnet and FTP, and internal web applications transmit login credentials over HTTP without TLS. The architect must recommend controls that directly reduce the risk of credential capture by an attacker who has already achieved a man-in-the-middle position on the network. Which TWO controls most directly mitigate credential interception via sniffing? (Choose two)

A. Replace all cleartext administrative protocols by migrating Telnet sessions to SSH and FTP transfers to SFTP, ensuring that intercepted traffic yields only unreadable ciphertext to an attacker with a man-in-the-middle position B. Deploy a web application firewall in reverse proxy mode in front of all internal web applications to inspect HTTP request payloads for injection attempts and block malicious traffic before it reaches application servers C. Enforce TLS on all internal web application sessions, configure HSTS headers to prevent protocol downgrade attacks, and require HTTPS so that credentials are never transmitted in cleartext over HTTP D. Implement VLAN segmentation across the data center to isolate server workloads into separate broadcast domains and reduce the number of hosts that share the same Layer 2 network segment E. Deploy a SIEM platform to aggregate authentication logs from all network devices and servers, enabling real-time correlation rules that alert on anomalous login patterns indicative of credential compromise

ByThe Test Master

Related Post

CEH v13 Domain 4.5 Practice Test 002

CEH v13 Domain 4.4 Practice Test 002

CEH v13 Domain 4.3 Practice Test 002

Leave a Reply Cancel reply

You missed

CEH v13 Domain 4.5 Practice Test 002

CEH v13 Domain 4.4 Practice Test 002

CEH v13 Domain 4.3 Practice Test 002

CEH v13 Domain 4.1 Practice Test 002