CEH v13 Domain 4.5 Practice Test 003

By /

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 5 (Evading IDS, Firewalls, and Honeypots) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 4.5 Practice Test 003
10 questions • 8 single-answer, 2 multi-select
Question 1
Clark, a skilled attacker targeting a financial institution's internal network, needs to exfiltrate sensitive data without triggering the network-based IDS deployed at the perimeter. He intentionally splits his TCP payload into abnormally small, overlapping segments that the IDS fails to properly reassemble, allowing malicious traffic to pass undetected. Which IDS evasion technique is Clark employing?
    Question 2
    Select all that apply
    A security researcher is evaluating a commercial IDS product's resistance to packet-level evasion techniques in a controlled lab environment. After testing multiple approaches, she identifies two specific methods that exploit differences in how the IDS and the end host reassemble fragmented or out-of-order packet streams. Which two techniques does she identify as exploiting this reassembly discrepancy? (Choose two)
      Question 3
      Jane has compromised an internal workstation inside a corporate network protected by a restrictive outbound firewall that only permits HTTP and HTTPS traffic on ports 80 and 443. She needs to maintain a persistent, bidirectional channel to her external command-and-control server despite these port restrictions. Jane wraps all malicious C2 communications inside standard HTTP GET and POST requests to traverse the firewall undetected — which technique is she using?
        Question 4
        A threat actor who has gained initial foothold on an enterprise network discovers a system responding to MSSQL connection requests on port 1433 but finds no historical login records, no prior network connections in ARP caches, and no active database transactions despite the port being fully responsive. The system has also been running continuously for 11 months without a single patch event or scheduled reboot. Which characteristic most strongly suggests this system is a honeypot rather than a legitimate production server?
          Question 5
          Elijah is conducting an authorized penetration test against a hardened corporate network that logs all port scan source IPs and shares them with the security operations team in real time. He needs to perform a comprehensive Nmap scan while making attribution difficult by having scan traffic appear to originate from multiple IP addresses simultaneously alongside his real IP. Which Nmap option is Elijah using to implement this evasion technique?
            Question 6
            A red team operator conducting a sanctioned engagement discovers that the target's network-based IDS processes all inbound packets regardless of whether they can actually reach the destination host. She deliberately sends crafted TCP packets with TTL values set to expire exactly one hop before reaching the target host, causing the IDS to include these phantom packets in its stream reconstruction while the target host never receives them. Which IDS evasion technique is the red team operator exploiting?
              Question 7
              Kevin gains physical access to an enterprise office building and connects his laptop to an active Ethernet port in a conference room that is enforced by 802.1X port-based network access control. Using a passive packet capture tool, he identifies the MAC address of an already-authenticated workstation on the same network segment and reconfigures his network adapter to use that exact MAC address. Which technique is Kevin using to bypass the NAC enforcement?
                Question 8
                A threat actor has deployed malware on a cloud-hosted virtual machine and needs to exfiltrate data to an external command-and-control server without triggering the cloud provider's network-based IDS. All malicious communications are wrapped in TLS and transmitted over port 443, blending seamlessly with the massive volume of legitimate HTTPS business traffic crossing the network boundary. Which IDS evasion approach does this technique represent?
                  Question 9
                  Select all that apply
                  A seasoned penetration tester is mapping a target enterprise network and suspects that two specific hosts may be honeypots placed by the security team to detect and monitor attacker activity. She performs careful behavioral analysis on both hosts and compares observed characteristics against known honeypot indicators before proceeding with her attack chain. Which two characteristics are most indicative that a system is a honeypot rather than a genuine production host? (Choose two)
                    Question 10
                    An attacker targeting an operational technology network observes that the perimeter firewall permits all inbound traffic originating from source port 53, because plant automation processes depend on external DNS responses for real-time firmware update checks. He crafts his exploit traffic to appear as if it originates from source port 53, successfully satisfying the permissive firewall rule and gaining unauthorized access to the OT network segment. Which firewall evasion technique is the attacker using?
                      Answered: 0/10

                      Related Posts

                      Leave a Comment

                      Your email address will not be published. Required fields are marked *

                      Scroll to Top