CEH v13 Domain 4.2 Practice Test 002

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 2 (Social Engineering) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 4.2 Practice Test 002

10 questions • 8 single-answer, 2 multi-select

Question 1

Clark crafts a convincing email appearing to originate from the company's IT helpdesk, instructing employees to click an embedded link and re-enter their VPN credentials on a lookalike corporate portal he controls. Thirty-two employees comply within two hours of the email's distribution, providing Clark with valid enterprise domain credentials. Which social engineering technique did Clark employ?

A. Vishing — Clark used voice calls impersonating IT support to verbally extract VPN credentials from employees who answered the phone, relying on real-time conversation pressure rather than a written message B. Baiting — Clark left infected USB drives labeled 'VPN Update' in common areas, relying on employee curiosity to connect the drives to corporate workstations and trigger credential harvesting malware C. Phishing — Clark sent deceptive emails masquerading as a trusted internal source to trick employees into submitting credentials to a fraudulent lookalike portal under his control D. Quid pro quo — Clark offered employees a free software upgrade in exchange for their credentials, framing the exchange as a mandatory IT compliance procedure requiring immediate participation

Question 2

A penetration tester calls the company's front desk and poses as an external auditor conducting a scheduled security review, using a fabricated scenario complete with a spoofed caller ID matching the audit firm's phone number and background research about current internal projects. The receptionist, believing the call is legitimate, provides the names and direct extensions of three senior IT administrators. Which social engineering technique did the penetration tester use?

A. Tailgating — the tester physically followed an authorized employee through a badge-controlled entry point by closely trailing them immediately after they scanned their access card B. Phishing — the tester sent a fraudulent email to the receptionist with a forged sender address to extract the administrator contact details in written form rather than over a phone call C. Pretexting — the tester constructed a fabricated identity and believable auditor scenario, supported by background reconnaissance and a spoofed caller ID, to establish credibility and elicit sensitive organizational information D. Pharming — the tester poisoned the corporate DNS resolver to redirect the receptionist's web traffic to a fraudulent intranet page that harvested IT administrator contact information automatically

Question 3

Jane calls an employee of a mid-size financial firm posing as a representative from the corporate IT security team, claiming the employee's workstation has generated suspicious alerts requiring immediate credential verification to prevent an imminent account lockout. The employee, pressured by urgency and the apparent authority of the caller, verbally provides their Active Directory username and password. Which attack technique did Jane execute?

A. Smishing — Jane sent an SMS message containing a fraudulent link to a spoofed IT portal that harvested the employee's Active Directory credentials when accessed on a mobile device B. Vishing — Jane used a voice call combined with an authoritative IT security pretext and manufactured urgency to psychologically pressure the employee into verbally disclosing their domain credentials C. Watering hole attack — Jane compromised a website frequently visited by the financial firm's employees and embedded a credential harvesting script that passively captured login tokens from authenticated sessions D. Spear phishing — Jane sent a highly personalized email targeting the specific employee by name, current project, and role to increase believability and compel the employee to submit credentials through a linked form

Question 4

An enterprise security operations center detects that a current employee in the accounting department has been exfiltrating quarterly financial reports by emailing compressed attachments to a personal email account after business hours for the past six weeks. Investigation reveals the employee recently learned they were being passed over for promotion and had legitimate access privileges to all the files that were exfiltrated. Which insider threat category best describes this actor?

A. Unintentional insider — the employee accidentally forwarded sensitive financial files to the wrong email recipient through human error rather than any deliberate attempt to exfiltrate data B. Malicious insider — the employee intentionally leveraged legitimate access privileges to systematically steal confidential financial data, motivated by a personal grievance over the denied promotion C. Third-party insider — the employee is an external contractor whose engagement has concluded, removing their authorization to access the accounting systems from which the reports were exfiltrated D. Negligent insider — the employee violated data handling policy by using a personal email account out of convenience, without understanding the security implications or intending any harm to the organization

Question 5

Elijah targets a corporate campus with badge-controlled entry points and gains physical access to a restricted server room by closely following an authorized employee through the security door immediately after the employee swipes their badge, without presenting any access credential of his own. Once inside, Elijah plants a hardware keylogger on an unattended workstation before exiting the building. Which physical social engineering technique did Elijah employ?

A. Shoulder surfing — Elijah positioned himself near an employee's workstation and visually observed the employee entering their login credentials by looking over their shoulder at close range B. Dumpster diving — Elijah searched the organization's waste disposal area for discarded documents, printed badge templates, and physical media containing sensitive organizational information C. Tailgating — Elijah gained unauthorized physical access to the restricted server room by exploiting an authorized employee's legitimate badge swipe, slipping through the secured door directly behind them without presenting his own credential D. Piggybacking — Elijah presented a convincingly forged visitor badge to the authorized employee, who then deliberately held the security door open for Elijah after reviewing what appeared to be a valid access credential

Question 6

Select all that apply

A newly appointed Chief Security Officer at a healthcare organization reviews a recent social engineering penetration test report revealing that employees disclosed credentials over the phone to testers posing as IT support, propped open badge-controlled doors for unknown individuals, and clicked phishing links at a 40% rate. The CSO must implement organizational controls to address all three identified weaknesses. Which TWO controls most directly reduce susceptibility to the social engineering techniques identified in the test? (Choose two)

A. Deploy DMARC, DKIM, and SPF email authentication records on all corporate mail domains to reject spoofed inbound messages that fail sender verification and prevent forged emails from reaching employee inboxes B. Conduct recurring security awareness training and simulated social engineering exercises that teach employees to recognize pretexting calls, verify caller identity through an out-of-band callback process, challenge unknown individuals at access points, and report suspicious contacts C. Implement network access control solutions that enforce endpoint health checks and 802.1X port-based authentication before permitting any device to join internal network segments D. Establish and enforce a formal identity verification policy requiring that all requests for sensitive information or physical access be validated through an out-of-band callback to a known number or in-person badge verification before compliance E. Deploy a next-generation firewall with deep packet inspection to analyze and block outbound connections to known phishing infrastructure and command-and-control domains identified in threat intelligence feeds

Question 7

Kevin, a threat actor, spends three weeks monitoring a target organization's LinkedIn profiles and public project announcements to identify a finance manager's name, current project responsibilities, and the name of the external accounting firm the company retains. He then crafts a personalized email addressed to the finance manager by name, referencing the specific project, and purportedly sent by the accounting firm, with a malicious Excel attachment that deploys a RAT upon opening. How is Kevin's technique classified relative to standard phishing?

A. Kevin's attack is classified as whaling because it targets a high-value executive and is identical in structure to a standard phishing blast sent to thousands of recipients without personalization B. Kevin's attack is classified as spear phishing because it leverages detailed personal and organizational reconnaissance to craft a targeted, believable message aimed at a specific named individual rather than a broad untargeted email distribution C. Kevin's attack is classified as vishing because the primary social engineering element relies on verbal communication between Kevin and the finance manager rather than a written electronic message D. Kevin's attack is classified as pharming because Kevin manipulated the organization's DNS resolver to redirect the finance manager's browser to a fraudulent accounting firm website that delivered the malicious Excel file

Question 8

An attacker creates a convincing LinkedIn profile using a photograph of a real employee at a target organization, adopting that employee's name, job title, and employer to appear as a trusted colleague. The attacker uses this fraudulent profile to send connection requests to other employees who accept, believing they are adding a known coworker, and then extracts project timelines, upcoming vendor contracts, and organizational headcount through direct messages. Which social engineering technique is the attacker employing?

A. Identity theft — the attacker is using the real employee's stolen financial account credentials and Social Security number to conduct unauthorized financial transactions and open new lines of credit B. Pretexting — the attacker constructed an entirely fictional persona with an invented name and backstory having no basis in any real individual within the organization C. Impersonation on social networking sites — the attacker created a fraudulent profile mimicking a real, named employee to deceive colleagues into forming trusted connections and then disclosing sensitive organizational information D. Watering hole attack — the attacker compromised the LinkedIn platform itself by injecting credential-harvesting JavaScript into profile pages visited by organization employees

Question 9

A security analyst reviews a case in which an attacker obtained a victim's name, Social Security number, and date of birth by purchasing a compiled data breach dataset from a dark web marketplace. The attacker then used those details to open three fraudulent credit card accounts and file a tax return in the victim's name, collecting a substantial refund before the fraud was detected. Which term accurately describes what the attacker committed after acquiring the victim's personal information?

A. Social engineering — the attacker directly contacted financial institution representatives by telephone and used persuasion techniques to authorize account changes without possessing any of the victim's identifying documents B. Identity theft — the attacker misused the victim's stolen personally identifiable information to fraudulently assume their identity for financial gain, opening accounts and filing tax documents under the victim's name and credentials C. Pretexting — the attacker fabricated an entirely invented persona with a false name and supporting backstory, using that fictional identity rather than the victim's real information to deceive financial institutions D. Shoulder surfing — the attacker observed the victim manually entering their Social Security number and date of birth on a government portal in a public location and recorded the information for later fraudulent use

Question 10

Select all that apply

A penetration tester explains to a client's board that advanced social engineering attacks sometimes use a reverse social engineering approach in which the attacker engineers a situation that causes the target to initiate contact and seek the attacker's help, rather than the attacker making first contact and risking detection or refusal. The tester describes the three recognized phases that comprise a complete reverse social engineering campaign. Which TWO of the following are established phases of a reverse social engineering attack? (Choose two)

A. Sabotage — the attacker creates or simulates a technical problem on the target's system or environment to establish a realistic scenario in which the victim feels compelled to seek external technical assistance B. Footprinting — the attacker performs passive open-source reconnaissance on the target organization using WHOIS, job postings, and LinkedIn to enumerate network topology and employee roles before launching the attack C. Advertising — the attacker promotes themselves or their fictional support persona through legitimate or semi-legitimate channels so the target will contact them when the fabricated technical problem materializes D. Enumeration — the attacker sends crafted SNMP queries to network devices in the target environment to extract MIB object values including device names, interface configurations, and routing table entries E. Port scanning — the attacker runs an Nmap scan against the target's external IP range to identify open ports and running services that can be exploited as technical entry points before initiating social contact

ByThe Test Master

Related Post

CEH v13 Domain 4.5 Practice Test 002

CEH v13 Domain 4.4 Practice Test 002

CEH v13 Domain 4.3 Practice Test 002

Leave a Reply Cancel reply

You missed

CEH v13 Domain 4.5 Practice Test 002

CEH v13 Domain 4.4 Practice Test 002

CEH v13 Domain 4.3 Practice Test 002

CEH v13 Domain 4.1 Practice Test 002