CEH v13 Domain 7.2 Practice Test 002

By /

This practice test covers Domain 7 (Mobile Platform, IoT, and OT Hacking) Subdomain 2 (IoT and OT Hacking) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 7.2 Practice Test 002
10 questions • 8 single-answer, 2 multi-select
Question 1
A security researcher is tasked with enumerating Internet-exposed IoT devices across a smart city infrastructure as part of a threat assessment. She uses a specialized search engine designed to index internet-connected devices by banner responses, open ports, and geolocation data, discovering hundreds of unsecured IP cameras, HVAC controllers, and PLCs with default credentials. Which tool is she using to conduct this IoT reconnaissance?
    Question 2
    Clark is conducting an authorized penetration test of an oil refinery's industrial control system and gains access to the internal OT network segment after pivoting through a compromised HMI workstation. He identifies a legacy SCADA system communicating over Modbus TCP and sends unauthorized function code 6 write commands directly to a PLC, altering setpoint values for a pressure valve without any challenge or authentication prompt. Which characteristic of Modbus TCP made Clark's attack possible?
      Question 3
      A penetration tester is assessing a smart home hub device and extracts the firmware image from the device's SPI flash memory chip using a hardware programmer attached directly to the board via test pads. She loads the binary into a tool that automatically identifies the file system type, extracts embedded binaries, and flags hardcoded credentials and known vulnerable library versions with automated signatures. Which tool is she most likely using for this automated IoT firmware analysis?
        Question 4
        Elijah is analyzing a forensic image of a Windows XP workstation recovered from an Iranian uranium enrichment facility that was used to program Siemens S7-315 PLCs via the Step 7 engineering software. The malware he discovers intercepts Step 7 project uploads, modifies centrifuge rotor speed commands transmitted to PLCs while reporting falsified normal values to the operators' monitoring screens, and contains device fingerprinting logic that targets only systems matching Siemens-specific hardware configurations. Which malware is Elijah analyzing?
          Question 5
          Select all that apply
          A security team at a healthcare organization is conducting a risk assessment of their IoT medical device fleet, which includes 500 connected infusion pumps, patient monitoring systems, and smart thermostats deployed across multiple hospital wings. The CISO asks the team to identify the two most common attack vectors that adversaries exploit to compromise IoT devices in enterprise environments. Which two attack vectors most frequently enable IoT device compromise? (Choose two)
            Question 6
            Jane is assessing the security of a smart building's IoT infrastructure and discovers an MQTT broker listening on port 1883 without any authentication requirement or transport layer encryption. She uses a freely available MQTT client to connect anonymously and subscribes to the wildcard topic '#', immediately receiving a continuous stream of plaintext messages containing temperature sensor readings, badge reader events, door lock status, and HVAC control commands from across the facility. Which security weakness in the MQTT deployment directly enabled Jane's unauthorized access?
              Question 7
              An industrial control system penetration tester is authorized to test a water treatment facility's OT environment and captures legitimate DNP3 command frames transmitted from the SCADA master station to remote terminal units controlling chlorination dosing pumps over an unencrypted serial-to-Ethernet gateway. He replays the captured command sequence at an unauthorized time, causing the dosing pumps to activate at maximum output, and the RTU accepts the replayed commands without rejection because the protocol lacks timestamp validation or command sequencing controls. Which DNP3 security weakness did the penetration tester exploit?
                Question 8
                Kevin discovers that a target organization's network segment contains thousands of IP cameras and DVR systems running embedded Linux with factory-default Telnet credentials unchanged from the manufacturer's shipping configuration, and he writes an automated scanner that iterates through the default credential list to authenticate and confirm successful Telnet login on each device. After compromising over 200,000 devices globally, Kevin instructs the botnet to launch synchronized UDP and ICMP flood attacks against a major DNS provider, generating peak traffic exceeding 600 Gbps and causing widespread internet outages. Which attack did Kevin execute?
                  Question 9
                  Select all that apply
                  A security analyst at a smart manufacturing company is designing a security framework for 300 newly deployed IoT temperature and pressure sensors installed in chemical storage tanks that communicate over a flat operational network shared with engineering workstations and the corporate LAN. The CISO requires immediate countermeasures that align with OWASP IoT Top 10 recommendations and directly reduce the exposure of the sensors to lateral movement from a compromised workstation. Which two countermeasures are most effective at reducing the attack surface of the deployed IoT sensors? (Choose two)
                    Question 10
                    A red team is analyzing the forensic artifacts of a cyberattack against a Middle Eastern petrochemical plant where the threat actor deployed a custom attack framework that communicated with Triconex Safety Instrumented System controllers over the proprietary TriStation protocol, enabling remote read and write access to SIS logic programs running on the safety controllers. The attacker's objective was to disable the emergency shutdown systems to allow physical process damage to occur unimpeded, representing the first publicly documented malware specifically engineered to target safety instrumented systems. Which malware framework was used in this attack?
                      Answered: 0/10

                      Related Posts

                      Leave a Comment

                      Your email address will not be published. Required fields are marked *

                      Scroll to Top