CEH v13 Domain 4.4 Practice Test 004

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 4 (Session Hijacking) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 4.4 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

A SOC analyst reviewing a web app finds that a user's authentication token is a short predictable number that increments with each login. By guessing the next value, an attacker rides an active authenticated session without any credentials. Which weakness enabled this takeover?

A. Excessive password length B. Weak TLS cipher suite C. Missing input sanitization D. Predictable session identifiers

Question 2

Select all that apply

Clark injects malicious script into a forum post so that visitors' browsers send their active cookies to his server. He then loads those cookies into his own browser to impersonate the victims. Which technique enabled the theft? (Choose two)

A. Hardware keylogging B. Cross-site scripting C. DNS zone transfer D. Cookie/session token theft E. Port knocking

Question 3

An attacker on the same segment monitors a TCP conversation, predicts the next sequence number, and injects spoofed packets to seize the connection. The legitimate client is knocked out of sync and effectively replaced. Which category of hijacking is this?

A. Network-level session hijacking B. SQL injection C. Application-level session hijacking D. Phishing

Question 4

Kevin captures a valid session token over an unencrypted Wi-Fi connection and later resubmits the identical token to the server. The server accepts it as a returning authenticated user. Which attack technique describes resending the captured token verbatim?

A. Banner grabbing B. Watering hole attack C. Session replay attack D. Privilege escalation

Question 5

Jane forces a victim's browser to use a session identifier she already controls before the victim logs in, then accesses the account once authentication completes. The application reuses the pre-set identifier instead of issuing a fresh one. Which attack is this?

A. Credential stuffing B. Session sniffing C. ARP spoofing D. Session fixation

Question 6

A penetration tester wants a browser-integrated proxy to intercept HTTP requests, view live session cookies, and replay modified requests against a target web app. The tool should support manual tampering of tokens during an authenticated session. Which tool best fits?

A. John the Ripper B. Burp Suite C. Nmap D. Aircrack-ng

Question 7

An attacker positions himself between a client and server, relaying and silently altering messages while both parties believe they communicate directly. He reads and modifies the session traffic in transit. Which positioning attack underpins this hijack?

A. Smurf attack B. Man-in-the-middle attack C. Directory traversal D. Rainbow table attack

Question 8

Select all that apply

A development team wants to make stolen tokens far less useful and prevent client-side script from reading them. They review cookie attributes and lifecycle controls for their enterprise portal. Which two countermeasures best protect session integrity? (Choose two)

A. HttpOnly and Secure cookie flags B. Regenerate token after login C. Reuse one token for all users D. Disable TLS on the portal E. Store tokens in plaintext logs

Question 9

During a cloud assessment, an analyst finds that a stolen long-lived bearer token grants API access for weeks because tokens never expire. An attacker who captures one retains access indefinitely. Which control weakness is the root cause?

A. Excessive logging B. Multi-factor authentication C. Missing session timeout/expiry D. Overly strong encryption

Question 10

Elijah uses a tool that automatically captures and lets him swap active session cookies directly inside the browser to take over authenticated web sessions during a red team test. The tool is purpose-built for this hijacking workflow. Which utility is he most likely using?

A. Hetty / Cookie-editor type tool B. sqlmap C. Hydra D. Nessus

Related Posts

Leave a Comment Cancel Reply