CEH v13 Domain 7.2 Practice Test 003

This practice test covers Domain 7 (Mobile Platform, IoT, and OT Hacking) Subdomain 2 (IoT and OT Hacking) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 7.2 Practice Test 003

10 questions • 8 single-answer, 2 multi-select

Question 1

A penetration tester hired by a smart city operator begins her engagement by mapping all internet-exposed IoT devices in the target environment, using specialized search engines to identify open ports, device types, and firmware versions without actively sending packets to the target. She records detailed information about network topology, default credential patterns, and communication protocols used by traffic sensors, environmental controllers, and IP cameras. Which phase of the IoT hacking methodology does this activity represent?

A. Vulnerability Scanning B. Information Gathering C. Active Exploitation D. Lateral Movement

Question 2

Jane, a security researcher auditing an industrial IoT deployment, discovers that the MQTT broker running on TCP port 1883 accepts connections without authentication and allows any subscriber to receive messages from all topics. She captures telemetry data from temperature sensors and then injects spoofed readings that cause the automated cooling system to shut down. Which attack best describes Jane's exploitation of the insecure broker configuration?

A. ARP Spoofing B. Insecure MQTT Protocol Exploitation C. Replay Attack D. DNS Poisoning

Question 3

An OT security consultant reviewing the architecture of a petroleum refinery finds that engineering workstations running SCADA software share the same network segment as corporate IT email servers and web proxies. The consultant warns the operations manager that this flat network design would not satisfy auditors or regulators who expect ICS environments to conform to the established hierarchical segmentation standard for industrial operations. Which model defines the recommended network segmentation hierarchy for industrial control systems?

A. OSI Reference Model B. Purdue Reference Model C. Zero Trust Architecture D. TOGAF Framework

Question 4

During an IoT security assessment, an ethical hacker needs to identify all internet-facing devices belonging to a target organization—including IP cameras, industrial controllers, and routers—without sending any packets directly to the target network. He relies on a service that continuously indexes device banners, open service ports, and geolocation data collected from internet-connected devices worldwide. Which tool best suits this passive IoT reconnaissance technique?

A. Nmap B. Shodan C. Wireshark D. Metasploit

Question 5

Kevin, a firmware analyst contracted by an IoT device manufacturer, extracts a firmware image from a smart thermostat using the JTAG interface and obtains the raw binary file. He then runs Binwalk against the image, decompresses the embedded file system, and locates hardcoded root credentials stored in plaintext within the device initialization scripts. Which technique did Kevin use to uncover these hidden credentials?

A. Dynamic Analysis B. Firmware Reverse Engineering C. Side-Channel Attack D. Buffer Overflow Exploitation

Question 6

Select all that apply

A CEH candidate reviewing IoT threat categories must classify two adversary activities observed against a consumer smart home deployment: the first targeted sensitive data embedded within the device's software image, and the second rendered the resource-constrained IoT hub completely unresponsive through sustained traffic overload. The study group must identify which two IoT attack categories from the CEH curriculum best describe these two activities. Which two of the following IoT attack types are demonstrated? (Choose two)

A. Firmware Analysis Attacks B. SQL Injection Attacks C. Side-Channel Attacks D. DoS/Resource Exhaustion Attacks E. Kerberoasting Attacks

Question 7

Elijah, a red team specialist contracted by an energy utility, gains access to the OT control network and identifies a Siemens S7-series PLC managing turbine rotation speed via the engineering workstation. He sends unauthorized S7comm write commands directly to the PLC, modifying the speed setpoint to a level far beyond safe operational limits without triggering any process alarms. Which type of OT attack has Elijah successfully executed?

A. Man-in-the-Middle Replay B. Rogue Engineering Workstation C. PLC Reprogramming Attack D. HMI Credential Theft

Question 8

A hospital security team responsible for connected medical device infrastructure deploys network segmentation, disables unused communication ports on infusion pumps, and configures a dedicated IoT gateway to monitor and block anomalous traffic patterns. They also enforce a policy requiring all firmware updates for patient monitoring devices to undergo cryptographic signature verification before installation. Which IoT attack does the firmware signature verification requirement specifically prevent?

A. Network Scanning Prevention B. Rogue Firmware Installation C. Physical Tampering D. DDoS Amplification

Question 9

Select all that apply

An OT security architect designing defenses for a chemical plant's industrial control systems must select countermeasures that align with ICS security best practices while preserving continuous operations where patch cycles may span many months. She must choose controls that address both IT-originated lateral movement threats and direct attacks against field devices without introducing active scanning agents on the OT network. Which two security controls are most appropriate for this OT environment (choose two)?

A. Network Segmentation Using a DMZ B. Active PLC Vulnerability Scanning C. Data Diode Deployment D. HMI Web Application Firewall E. Cloud-Based PLC Migration

Question 10

During a wireless IoT security assessment at a smart warehouse, a penetration tester identifies several Zigbee-enabled sensors communicating on the 2.4 GHz band and begins passively monitoring traffic during a period when new sensors are being added to the network. Without performing any brute-force or active exploitation, he subsequently decrypts all sensor-to-coordinator communications. Which vulnerability did the attacker exploit to compromise the Zigbee network?

A. WPS PIN Brute Force B. Unencrypted Zigbee Key Transport C. Bluetooth KNOB Attack D. Z-Wave S0 Downgrade

Related Posts

Leave a Comment Cancel Reply