CEH v13 Domain 2.2 Practice Test 001

Question 1

A penetration tester needs to perform a stealthy port scan against a target host without completing the TCP three-way handshake. The tester wants to reduce the chance of the scan being logged by the target system's connection tracking. Which Nmap scan type should the tester use?

A. nmap -sT 192.168.1.1 B. nmap -sS 192.168.1.1 C. nmap -sV 192.168.1.1 D. nmap -sU 192.168.1.1

Question 2

During a network security audit, an analyst observes the following Nmap command being executed against a target subnet: `nmap -sn 10.10.0.0/24`. The analyst needs to understand what this command accomplishes and what its limitations are. What is the PRIMARY purpose of this scan, and what does it NOT do?

A. It performs a full port scan on all 254 hosts and does not detect UDP services B. It discovers live hosts on the subnet without performing port scanning C. It performs OS fingerprinting on all live hosts without banner grabbing D. It sends ICMP echo requests only and does not detect hosts that block ICMP

Question 3

Select all that apply

Clark, a professional hacker, is targeting a financial organization and wants to identify open ports and running services while also determining the operating system of each live host. He runs the following command: `nmap -A -T4 -p 1-1024 192.168.10.0/24`. Which of the following capabilities does the -A flag enable in this scan? (Choose two)

A. Stealth SYN scanning to avoid firewall detection B. OS detection using TCP/IP stack fingerprinting C. Script scanning using the Nmap Scripting Engine (NSE) D. Packet fragmentation to evade IDS signatures E. Service and version detection on open ports

Question 4

A security team is reviewing firewall rules and wants to determine which ports are filtered versus closed on a remote host. An ethical hacker on the team suggests using an Nmap scan that sends packets with no TCP flags set. Which scan type is being described, and what is the expected response from a closed port?

A. FIN scan; the closed port responds with a RST/ACK packet B. NULL scan; the closed port responds with a RST/ACK packet C. XMAS scan; the closed port responds with no reply D. NULL scan; the closed port responds with no reply

Question 5

Jane is conducting a black-box penetration test and needs to determine the operating system of a target host at IP address 172.16.5.10. She cannot rely on open ports returning banner information. Which Nmap technique should Jane use to passively fingerprint the OS based on TCP/IP stack behavior?

A. nmap -sV --version-intensity 9 172.16.5.10 B. nmap -O --osscan-guess 172.16.5.10 C. nmap -sC 172.16.5.10 D. nmap -sU -p 161 172.16.5.10

Question 6

During an engagement, a pen tester uses hping3 to craft and send custom packets to a target. The tester executes the following command: `hping3 -S -p 80 --scan 1-1000 192.168.5.5`. Which of the following best describes what this command accomplishes, and how does it differ from an equivalent Nmap SYN scan?

A. It sends UDP packets to ports 1–1000 and is slower than Nmap due to lack of parallelism B. It sends SYN packets to ports 1–1000 and offers more granular packet crafting control than Nmap C. It performs a full connect scan on ports 1–1000 and automatically evades IDS systems D. It performs OS fingerprinting on the target by analyzing ICMP responses to crafted SYN packets

Question 7

A penetration tester wants to scan a target network but needs to avoid triggering rate-based IDS alerts. The tester decides to slow the scan speed significantly. Which Nmap timing template should the tester use to send packets at a rate slow enough to blend with normal background traffic?

A. -T0 (Paranoid) B. -T1 (Sneaky) C. -T3 (Normal) D. -T5 (Insane)

Question 8

Elijah, a network security analyst, is reviewing packet captures and notices the following pattern: a single external IP address sent SYN packets to 500 different destination ports on a server within a 2-second window, received RST/ACK responses on most ports, and received SYN/ACK on three ports. No connections were completed. What type of scan has Elijah most likely detected, and which tool is most commonly associated with this technique?

A. A full TCP connect scan performed using Netcat B. A SYN (half-open) scan performed using Nmap C. An XMAS scan performed using hping3 D. A UDP scan performed using Nmap with the -sU flag

Question 9

An ethical hacker is performing banner grabbing against a web server to identify the software version running on port 80. The tester uses the following command: `telnet 10.0.0.5 80`. After connecting, the tester types `HEAD / HTTP/1.0` and presses Enter twice. The server responds with HTTP headers including the `Server:` field. What type of banner grabbing is this, and what is a key limitation of this technique?

A. Passive banner grabbing; it can only be performed on encrypted services B. Active banner grabbing; the server may return a falsified or suppressed Server: header C. Passive banner grabbing; it requires Wireshark to capture the response D. Active banner grabbing; it only works on UDP-based services running on port 80

Question 10

Select all that apply

A penetration tester needs to scan a target host that is behind a stateful firewall configured to block inbound SYN packets. The tester wants to use a scanning technique that exploits how stateful firewalls track TCP sessions to potentially identify open ports. Which scan type should the tester use? (Choose two)

A. TCP ACK scan (-sA) B. TCP SYN scan (-sS) C. TCP Window scan (-sW) D. TCP Connect scan (-sT) E. TCP NULL scan (-sN)

ByThe Test Master

Related Post

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

Leave a Reply Cancel reply

You missed

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

CEH v13 Domain 9.1 Practice Test 001