CEH v13 Domain 4.1 Practice Test 004

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 1 (Sniffing) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 4.1 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

Kevin connects to a target enterprise switch and floods it with 150,000 random MAC address frames per second using macof, exhausting the forwarding table and forcing the device into hub mode. Traffic intended for specific hosts is now broadcast to all ports, enabling passive packet capture. Which attack technique did Kevin execute?

A. ARP Cache Poisoning B. CAM Table Overflow C. DHCP Starvation D. IP Spoofing

Question 2

Jane is conducting a penetration test on a /24 subnet and sends crafted ARP reply frames to both the victim host and default gateway without any prior ARP request, associating her MAC address with the gateway's IP. The victim now forwards all outbound traffic through Jane's machine before it reaches the router. Which sniffing technique is Jane using?

A. DNS Cache Poisoning B. MAC Flooding C. ARP Poisoning D. ICMP Redirect

Question 3

Clark assesses a target network by flooding it with thousands of DHCP DISCOVER messages using spoofed MAC addresses, exhausting the legitimate server's IP address pool so no clients can obtain leases. He then launches a rogue server that distributes addresses pointing to his machine as the default gateway. What is the first phase of Clark's attack called?

A. ARP Poisoning B. DHCP Starvation C. CAM Table Overflow D. IP Address Spoofing

Question 4

A penetration tester on a flat corporate network gains a man-in-the-middle position and injects forged responses that map a target domain to a malicious IP address before the legitimate resolver can reply. Subsequent lookups from affected clients resolve to the attacker-controlled server. Which technique is being used?

A. ARP Flooding B. BGP Hijacking C. DNS Cache Poisoning D. SSL Stripping

Question 5

Select all that apply

A security analyst building a network sniffing lab needs tools capable of capturing live packet data on both wired and wireless interfaces for traffic analysis demonstrations. The lab must support deep packet inspection and protocol dissection without requiring custom code. Which two tools are purpose-built for network packet capture? (Choose two)

A. Wireshark B. John the Ripper C. tcpdump D. Metasploit E. Nessus

Question 6

Elijah discovers that all hosts on the target assessment network connect through managed switches, making passive hub-style capture impossible from his assigned port. He poisons the Layer 2 address resolution cache on both the victim workstation and the default gateway to redirect traffic through his machine. Which approach enables Elijah to sniff switched network traffic?

A. MAC Flooding B. ARP Poisoning C. Port Mirroring D. VLAN Hopping

Question 7

A network administrator wants to prevent attackers from injecting forged Layer 2 address resolution replies that could redirect host traffic on the corporate switch fabric. She enables a switch feature that cross-references incoming ARP packets against the DHCP snooping binding table and silently drops entries with invalid IP-to-MAC pairings. Which countermeasure has she implemented?

A. Port Security B. 802.1X NAC C. Dynamic ARP Inspection D. BPDU Guard

Question 8

Select all that apply

During a CEH training session, an instructor explains that sniffing techniques split into two categories based on whether the attacker must inject packets onto the wire to intercept traffic. The class is asked to identify which specific techniques require active packet injection to succeed. Which two techniques are classified as active sniffing? (Choose two)

A. ARP Poisoning B. Promiscuous Mode Capture C. MAC Flooding D. Wiretapping E. Port Spanning

Question 9

A security team suspects a host is intercepting internal traffic by manipulating how devices on the LAN resolve IP addresses to hardware addresses. They deploy a monitoring utility that watches for unsolicited Layer 2 address replies and raises an alert when the same IP appears bound to multiple MAC addresses within a short observation window. Which sniffing detection technique is the team using?

A. IDS Signature Matching B. ARP Spoofing Detection C. VLAN Audit D. NetFlow Analysis

Question 10

A penetration tester operating inside a cloud-based enterprise segment deploys a rogue DHCP server after depleting the legitimate server's lease pool, then issues new configurations to clients with her machine listed as both the default gateway and DNS resolver. All client traffic now transits her host transparently before reaching the internet. Which attack does this scenario describe?

A. DHCP Starvation B. ARP Flooding C. DHCP Spoofing D. IP Hijacking

Related Posts

Leave a Comment Cancel Reply