CEH v13 Domain 2.2 Practice Test 003

By /

This practice test covers Domain 2 (Reconnaissance Techniques) Subdomain 2 (Scanning Networks) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 2.2 Practice Test 003
10 questions • 8 single-answer, 2 multi-select
Question 1
A penetration tester is performing a stealthy port scan against an enterprise target and sends SYN packets to each target port without completing the three-way handshake — when a port is open, the target responds with a SYN-ACK, and the tester immediately sends a RST packet to abort the connection before it is fully established. This technique avoids triggering most session-based logging mechanisms on the target host. Which Nmap scan type was used?
    Question 2
    Kevin connects to a target web server on port 80 using Telnet, issues a raw HTTP GET request, and captures the response headers that reveal the Apache version, server OS, and loaded modules in the Server header field. He records this information to search for known CVEs targeting the specific software version. Which reconnaissance technique is Kevin using?
      Question 3
      An analyst performing host discovery on a large cloud-hosted /24 subnet uses Nmap to send ICMP Echo Request packets to every IP in the range, expecting ICMP Echo Reply responses from live hosts. The cloud provider's security groups block all inbound ICMP traffic from external sources, causing every probe to time out with no responses. Which host discovery method did the analyst attempt?
        Question 4
        Jane is conducting an authorized port scan against a target protected by a stateful IDS and configures Nmap to split TCP header data across multiple small IP fragments, causing the IDS to fail to reassemble the complete packet payload in real time. The IDS misses the scan entirely and Jane successfully maps open ports without triggering any alerts. Which IDS evasion technique did Jane use?
          Question 5
          During an authorized red team engagement against an enterprise, the team needs to perform a completely blind port scan where no packets originate from their actual IP address — they use a third-party idle host with a predictable IP ID sequence as a proxy, and infer target port states by monitoring changes in the zombie's IP ID counter between probe cycles. Which advanced Nmap scan type achieves this?
            Question 6
            Clark is scanning a target server to identify services running on connectionless protocols — including DNS on port 53, DHCP on port 67, and SNMP on port 161 — by sending empty datagrams to each port and interpreting ICMP Port Unreachable responses as closed ports, while no response or a service reply indicates the port is open. Which Nmap scan mode is Clark using?
              Question 7
              Select all that apply
              An enterprise security team is preparing for an authorized vulnerability assessment and needs tools that support comprehensive port scanning with OS and service version detection, as well as a graphical interface for visualizing network topology and scan results from the same underlying scan engine. Which two tools are best suited for these combined requirements? (Choose two)
                Question 8
                Elijah is performing passive OS fingerprinting against a target network without sending any probes directly to hosts — he instead captures packets passing through a monitored network segment and analyzes TCP/IP stack characteristics such as TTL values, IP ID behavior, TCP window sizes, and DF bit settings to identify the operating systems of communicating hosts. Which tool is specifically designed for passive OS fingerprinting?
                  Question 9
                  A wireless network penetration tester needs to determine which specific service versions are running on open ports of a target access point controller after completing initial host discovery, and uses Nmap with a flag that sends targeted service probes to each open port and analyzes the returned banners to identify application name, version number, and protocol. Which Nmap capability and flag was used?
                    Question 10
                    Select all that apply
                    An attacker targeting an IoT/OT environment wants to scan target hosts while evading a perimeter IDS that signatures-matches against common scanning source ports, and also wants to completely conceal the true origin of the scan by intermixing real probe packets with spoofed packets appearing to come from several decoy IP addresses. Which two techniques would collectively achieve source obfuscation and port-based IDS bypass during the scan? (Choose two)
                      Answered: 0/10

                      Related Posts

                      Leave a Comment

                      Your email address will not be published. Required fields are marked *

                      Scroll to Top