CEH v13 Domain 3.2 Practice Test 004

This practice test covers Domain 3 (System Hacking Phases and Attack Techniques) Subdomain 2 (System Hacking) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 3.2 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

Clark is conducting an authorized penetration test and has obtained a list of NTLM password hashes extracted from a compromised Windows server's SAM database using a memory-scraping tool. He feeds the hashes into a tool that compares them against a massive precomputed table of hash values and their corresponding plaintexts, recovering several passwords within seconds without performing any brute-force computation. Which password cracking technique is Clark using?

A. Dictionary attack B. Rainbow table attack C. Brute-force attack D. Rule-based attack

Question 2

A penetration tester gains initial access as a standard user on a Linux server and identifies a binary with the SUID bit set that calls the system() function with a relative path rather than an absolute path, allowing manipulation of the PATH environment variable to make the binary execute a malicious script as root instead of the intended system command. The tester exploits this misconfiguration and obtains a root shell, confirming the escalation by running the id command. Which privilege escalation technique is being demonstrated?

A. Pass-the-Hash B. Token impersonation C. SUID binary exploitation D. Kernel module injection

Question 3

Jane has gained domain administrator access to a Windows enterprise environment and wants to ensure her foothold survives reboots and routine security sweeps without relying on a persistent malware implant that could be flagged by endpoint detection tools. She creates a scheduled task configured to execute a reverse shell payload every time a domain user authenticates to the compromised host, guaranteeing that her access is automatically re-established after system restarts. Which phase of the CEH system hacking methodology does this activity represent?

A. Gaining access B. Clearing logs C. Maintaining access D. Vulnerability exploitation

Question 4

Elijah has used Mimikatz to extract NTLM hashes from the memory of a compromised Windows domain controller and now wants to run a highly optimized offline cracking campaign using a large wordlist combined with mangling rules that generate password variations such as capitalization changes, number appending, and symbol substitution. He selects a tool that leverages GPU acceleration to process hundreds of millions of hash comparisons per second and supports multiple hash types including NTLM, SHA-1, and bcrypt. Which tool should Elijah use for this campaign?

A. John the Ripper B. Aircrack-ng C. Wireshark D. Hashcat

Question 5

Select all that apply

The red team at a financial institution successfully gains administrative access to an internal file server and now wants to conceal their hacking tools from the system administrator and standard directory listings without encrypting the files or placing them in obviously suspicious locations. The team plans to use two native Windows and Windows-compatible techniques: one that leverages an NTFS file system feature to embed data within a legitimate file's metadata stream, and another that hides payloads inside the visual content of ordinary image files. Which two file-hiding techniques are they planning to use? (Choose two)

A. NTFS Alternate Data Streams B. Steganography C. File system encryption D. Registry-based storage E. Log file tampering

Question 6

Kevin performs a post-exploitation step on a compromised Windows 10 host where he injects a malicious DLL into the search order path of a trusted executable, causing Windows to load his malicious library instead of the legitimate one when the application launches, which allows his code to run in the context of that trusted process without triggering process-based security monitoring. The technique exploits Windows' dynamic linking mechanism, which searches several directories in a specific sequence before loading any shared library. Which post-exploitation technique is Kevin using?

A. Pass-the-Hash B. DLL hijacking C. Kernel patching D. Token impersonation

Question 7

A penetration tester with valid domain credentials on a Windows network extracts an NTLM hash from one compromised workstation using a credential dumping tool and then uses that same hash directly to authenticate to other workstations and servers across the domain without ever learning or cracking the actual plaintext password. The technique exploits Windows' challenge-response authentication protocol's acceptance of the hash value itself as the authentication credential, bypassing the need for decryption. Which lateral movement technique is being demonstrated?

A. Kerberoasting B. Golden ticket attack C. Pass-the-Hash D. Credential stuffing

Question 8

After completing an authorized red team engagement against a healthcare organization's Linux-based infrastructure, the team is instructed to simulate what a sophisticated threat actor would do to evade forensic investigation by erasing all evidence of their activities from the compromised hosts. The team systematically overwrites shell history files, clears authentication logs in /var/log/auth.log, truncates syslog entries, and uses a script to zero out the wtmp and btmp binary log files. Which phase of the CEH system hacking methodology does this activity represent?

A. Maintaining access B. Executing applications C. Clearing logs D. Escalating privileges

Question 9

A security researcher testing a Windows 10 workstation has obtained a low-privileged user shell via a phishing payload and now executes a publicly available local kernel exploit targeting a Windows Print Spooler vulnerability to move from a restricted standard user account to NT AUTHORITYSYSTEM. The researcher runs 'whoami' after the exploit fires, confirms the elevated context, and then installs a persistent backdoor before proceeding to lateral movement activities. Which system hacking phase did the researcher complete by running the local kernel exploit?

A. Gaining access B. Escalating privileges C. Maintaining access D. Clearing logs

Question 10

Select all that apply

Jane is reviewing red team findings from a Windows domain engagement and must identify two native Windows mechanisms that were abused to ensure malicious payloads automatically execute after system restarts without requiring the attacker to re-establish an interactive session. The report notes that one technique leverages an autostart location within the Windows startup configuration database, while another creates a background process descriptor that the Service Control Manager automatically launches during the boot sequence. Which two persistence mechanisms are described? (Choose two)

A. Registry Run Key B. Malicious Windows service C. SQL injection D. ARP poisoning E. Password spraying

Related Posts

Leave a Comment Cancel Reply