CEH v13 Domain 2.2 Practice Test 004

This practice test covers Domain 2 (Reconnaissance Techniques) Subdomain 2 (Scanning Networks) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 2.2 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

Clark is conducting a penetration test on a corporate network and wants to identify all live hosts without triggering IDS alerts. He sends ICMP Echo Requests to a range of IP addresses to determine which hosts are active on the subnet. Which host discovery technique is Clark using?

A. Ping Sweep B. Inverse Mapping C. SYN Stealth Scan D. TCP ACK Probe

Question 2

A penetration tester is scanning a target environment and observes that certain probed ports return absolutely no response — neither a RST nor a SYN-ACK packet — suggesting a device is silently dropping packets before they reach the host. Nmap classifies these ports differently from closed ports that send back a RST. What port state does Nmap assign to these silently dropped probes?

A. Closed B. Open|Filtered C. Filtered D. Unresponsive

Question 3

Select all that apply

A security team at a large enterprise wants to perform OS fingerprinting on remote hosts to support an upcoming vulnerability assessment. The team lead instructs junior analysts to distinguish between techniques that require sending probes to the target versus those that rely solely on observing existing traffic. Which two methods would be classified as active OS fingerprinting techniques? (Choose two)

A. Nmap -O Scan B. Wireshark Traffic Analysis C. Banner Grabbing D. p0f Passive Analysis E. TTL-Based Traffic Inference

Question 4

Jane is conducting an authorized penetration test and needs to map the network path that packets take to reach a remote host across the internet. She runs a command that sends packets with incrementally increasing TTL values, recording the ICMP Time Exceeded messages returned by each intermediate router. What network reconnaissance technique is Jane using?

A. Idle/Zombie Scan B. Traceroute C. Ping Sweep D. TCP Timestamp Probe

Question 5

An enterprise security analyst discovers during an internal audit that unauthorized systems are appearing on the corporate subnet, and she needs to rapidly enumerate all active IP addresses across multiple network ranges. She wants a single tool that supports ARP-based discovery, ICMP probing, and TCP/UDP host detection across different environments. Which tool is best suited for this comprehensive, multi-protocol host discovery task?

A. Wireshark B. Metasploit C. Nmap D. Netcat

Question 6

Kevin is performing a stealth scan on a hardened enterprise network and wants to avoid triggering threshold-based detection rules on the deployed intrusion detection system. He configures his scanning tool to randomize probe order across target hosts and inserts deliberate time delays between each packet sent. Which scanning strategy is Kevin employing to evade detection?

A. FIN Scan B. XMAS Scan C. Slow/Low-and-Slow Scan D. NULL Scan

Question 7

Elijah is reviewing a packet capture collected with Wireshark from an unknown host on the network and notices that the host's packets consistently have a TTL value of 128 and a TCP window size of 65535. Without sending any additional packets to the target system, he uses these observable characteristics to draw a conclusion about the host's operating system. What category of OS discovery is Elijah performing?

A. Active Banner Grabbing B. Nmap OS Detection C. TCP ISN Sampling D. Passive OS Fingerprinting

Question 8

Select all that apply

A red team is tasked with identifying open ports on internal hosts behind a network perimeter that includes a stateful firewall and a signature-based IDS, without generating alerts that would expose the engagement. The team lead reviews several scan types and selects two that either break packets into smaller units or leverage non-standard TCP flag combinations that bypass stateful inspection. Which two techniques would best help the red team evade the perimeter defenses? (Choose two)

A. IP Fragmentation B. Full Connect SYN-ACK Scan C. FIN Scan D. ICMP Timestamp Probe E. Verbose Nmap Scan

Question 9

A cloud security team is auditing an AWS environment and wants to determine which EC2 instances are listening on specific ports without the target instances ever seeing the true source IP address of the scanning host. They identify a third-party cloud instance with a predictable and monotonically incrementing IP ID sequence and use it as an intermediary in their scanning operation. What type of scan does this describe?

A. Decoy Scan B. SYN Stealth Scan C. Inverse Mapping D. Idle/Zombie Scan

Question 10

A network administrator at a healthcare organization notices that external sources are repeatedly targeting dozens of ports in rapid succession across multiple internal servers, with each connection attempt separated by only milliseconds. She wants to deploy a countermeasure that automatically identifies this pattern and throttles or blocks the offending sources before they can complete their reconnaissance. Which control would most effectively address this threat?

A. VLAN Segmentation B. Port Scan Detection and Rate-Limiting C. MAC Filtering D. Disabling ICMP Responses

Related Posts

Leave a Comment Cancel Reply