CEH v13 Domain 2.3 Practice Test 003

This practice test covers Domain 2 (Reconnaissance Techniques) Subdomain 3 (Enumeration) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 2.3 Practice Test 003

10 questions • 8 single-answer, 2 multi-select

Question 1

Clark is conducting a black-box penetration test against an enterprise network and discovers that a network device responds to SNMP queries using the default community string 'public.' He uses a tool to walk the entire MIB tree and extract system description, running processes, network interfaces, and installed software from the target device. Which tool did Clark most likely use to perform this SNMP enumeration?

A. snmpwalk B. ldapsearch C. enum4linux D. nbtstat

Question 2

A security analyst is enumerating hosts on an internal Windows enterprise network and wants to identify machine names, domain information, logged-in usernames, and MAC addresses of remote systems using NetBIOS. She sends targeted NetBIOS Name Service requests to a specific remote host without requiring authentication and receives the NetBIOS name table, MAC address, and group membership in the response. Which native Windows command-line tool performs this targeted NetBIOS node status query?

A. nbtstat B. nslookup C. net view D. nltest

Question 3

Jane is performing an authorized internal penetration test against an enterprise Active Directory environment and binds to the LDAP service on port 389 using null credentials to confirm that anonymous access is permitted. She issues a series of search queries with a base distinguished name targeting the root domain to extract user accounts, group memberships, organizational unit structure, and administrator contact attributes stored in the directory. Which command-line tool is specifically used for querying LDAP services during enumeration in the CEH methodology?

A. ldapsearch B. enum4linux C. rpcclient D. snmpwalk

Question 4

The enterprise red team discovers an NTP server exposed on the network perimeter and confirms that the monlist functionality is enabled on the target. The attacker sends a crafted NTP control query exploiting the MON_GETLIST_1 command and receives a response listing all IP addresses, ports, and hostnames of clients that have recently synchronized with the server. Which NTP enumeration technique did the attacker leverage to extract client association data?

A. NTP Monlist Query B. NTP Mode 6 Query C. NTP Version Banner Grab D. NTP Amplification Probe

Question 5

Elijah is performing DNS enumeration against a target organization and begins by querying NS records to identify the authoritative name servers for the target domain. He then uses the dig utility with the AXFR query type directed at the primary authoritative name server and receives the full DNS zone file containing all A, MX, NS, CNAME, PTR, and SOA records due to a misconfigured zone transfer restriction. Which DNS enumeration technique did Elijah successfully exploit?

A. DNS Zone Transfer (AXFR) B. DNS Cache Snooping C. Reverse DNS Lookup D. DNS Brute Forcing

Question 6

A penetration tester is conducting a comprehensive Windows internal network assessment from a Kali Linux system and needs to enumerate open SMB shares, logged-on users, Windows group memberships, and password policies by connecting to the target host using null session authentication over port 445. The tester also requires the tool to automatically query the NetBIOS name service and the RPC endpoint mapper in the same session to gather maximum information in a single operation. Which tool is specifically designed for this combined SMB, NetBIOS, and RPC null-session enumeration from Linux?

A. enum4linux B. smbclient C. smbmap D. rpcclient

Question 7

Kevin is enumerating valid user accounts on a corporate mail server running SMTP on port 25 and sends the VRFY command followed by common usernames to verify whether each account exists in the mail system without authenticating. He also sends the EXPN command against known mailing list aliases to expand them into their full list of member mailbox addresses, recording 250 OK responses for valid accounts and 550 No Such User responses for invalid ones. Which SMTP enumeration technique is Kevin using?

A. SMTP VRFY/EXPN Enumeration B. SMTP Open Relay Testing C. SMTP Banner Grabbing D. SMTP RCPT TO Enumeration

Question 8

During an authorized red team engagement against a cloud-hosted Windows Server infrastructure, the attacker queries TCP port 135 on the target to retrieve all registered RPC services, their associated UUIDs, interface versions, protocol sequences, and binding endpoint addresses from the endpoint mapper service without providing any credentials. The resulting output reveals WMI, Task Scheduler, and DCOM interface registrations that inform subsequent exploitation targeting. Which tool is specifically used to enumerate Windows RPC endpoint mapper registrations?

A. rpcdump B. rpcclient C. rpcinfo D. showmount

Question 9

Select all that apply

Jane is preparing for an authorized internal penetration test and needs two specific tools: one capable of enumerating SMB shares, NetBIOS names, and Windows user accounts from a Linux attack host using null sessions, and another capable of querying SNMP-enabled network devices using default community strings to extract MIB data including system description, interface tables, and installed processes. Both tools must be executable from a Kali Linux command line without Windows dependencies. Which two tools should Jane use to fulfill both requirements? (Choose two)

A. enum4linux B. Wireshark C. snmpwalk D. Aircrack-ng E. Metasploit (msfconsole)

Question 10

Select all that apply

An enterprise security architect is hardening the internal network against enumeration attacks and is specifically concerned about two attack vectors: attackers querying SNMP agents using factory-default community strings to extract full MIB data, and attackers performing unauthenticated LDAP searches against Active Directory using anonymous bind. The security team must implement the most direct countermeasures that eliminate each vector at its source without removing legitimate SNMP monitoring or authenticated LDAP access for administrative tools. Which two configurations directly address these specific enumeration risks? (Choose two)

A. Disabling SNMP default community strings B. Blocking all inbound TCP port 443 C. Disabling LDAP anonymous bind D. Enabling ICMP redirects on all routers E. Enabling NetBIOS over TCP/IP on all hosts

Related Posts

Leave a Comment Cancel Reply