CEH v13 Domain 3.1 Practice Test 003

By /

This practice test covers Domain 3 (System Hacking Phases and Attack Techniques) Subdomain 1 (Vulnerability Analysis) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 3.1 Practice Test 003
10 questions • 8 single-answer, 2 multi-select
Question 1
A penetration tester is performing an internal network vulnerability assessment for a healthcare enterprise and requires a commercial-grade scanner that supports credentialed scanning, compliance auditing, and generates detailed reports with CVSS scores mapped to each finding. The tool integrates with patch management platforms, maintains a plugin database exceeding 100,000 checks, and is widely referenced in the CEH methodology as the de facto industry standard for enterprise vulnerability assessments. Which vulnerability scanner is the penetration tester most likely using?
    Question 2
    Clark is conducting a vulnerability assessment against a Windows enterprise environment and configures his scanner to authenticate to target hosts using domain administrator credentials, enabling it to directly inspect installed patches, registry values, running services, and local user accounts from within each system. His scan of the same 50-host subnet that was previously assessed without credentials now reveals 138 vulnerabilities compared to only 11 found in the unauthenticated run. What is this type of scan called, where the scanner logs into the target host using valid credentials to perform deep host-level inspection?
      Question 3
      An enterprise security team receives a vulnerability report showing that CVE-2021-44228 (Log4Shell) affecting their public-facing application server carries a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H with a Base Score of 10.0. A junior analyst asks the team lead to explain the meaning of the 'AV:N' component in the vector string before the team begins prioritizing remediation. What does the 'AV:N' metric indicate in a CVSS v3.1 vector string?
        Question 4
        Select all that apply
        Jane is tasked with selecting two open-source vulnerability scanning tools for her organization's security program — one designed to scan network hosts and services for known CVEs from a centralized management console, and one specifically designed to test web server installations for dangerous files, version disclosures, and outdated software. Her CISO mandates open-source solutions deployable on Linux without licensing fees. Which two tools should Jane select? (Choose two)
          Question 5
          Elijah is reviewing Nessus scan results from an internal assessment and notices the scanner flagged a critical missing patch on a production Windows server; however, upon manually logging into the host and running 'wmic qfe list', he confirms the patch was installed six weeks ago and was simply not detected by the scanner. His security manager is concerned because these occurrences consume analyst time and distort the organization's actual vulnerability exposure metrics. What term describes a scan result where the scanner reports a vulnerability that does not actually exist on the target system?
            Question 6
            A cloud security team is performing a vulnerability assessment across 300 AWS EC2 instances and deploys a lightweight software component on each instance that continuously monitors installed packages, running processes, system configurations, and file integrity to identify vulnerabilities without requiring external network-level probing of each host. This architecture enables the scanner to detect host-level weaknesses invisible to external network scans, such as locally installed vulnerable libraries and misconfigured system parameters. What type of vulnerability scanning architecture is being used?
              Question 7
              Kevin is analyzing a vulnerability assessment report for a financial services client and finds that a publicly exposed RDP service on a perimeter server has been assigned CVE-2019-0708 (BlueKeep), a pre-authentication remote code execution vulnerability for which multiple weaponized exploits are publicly available in Metasploit. The report assigns this vulnerability a CVSS v3.1 Base Score of 9.8. Which CVSS v3.1 qualitative severity rating correctly applies to a Base Score of 9.8?
                Question 8
                Select all that apply
                A security analyst is explaining two fundamental vulnerability assessment methodologies to a junior team member: the first involves automated tools and scanners actively sending probes, packets, and queries to target systems to elicit responses and uncover vulnerabilities, while the second involves monitoring and analyzing existing network traffic, system logs, and data flows without directly interacting with or probing target systems. Both methodologies are covered in the CEH vulnerability assessment framework and serve distinct use cases in an enterprise security program. Which two vulnerability assessment types are being described? (Choose two)
                  Question 9
                  A network security analyst receives a Nessus vulnerability report for a web application server and notices three different scores assigned to the same CVE: a Base Score of 9.1, a Temporal Score of 8.3, and an Environmental Score of 7.9. The analyst asks the report author to explain which CVSS component reflects real-world, time-dependent factors such as the current availability of public exploit code, the existence of an official patch or workaround, and confidence in the vulnerability report's accuracy. Which CVSS metric group captures these real-world, time-dependent exploit factors?
                    Question 10
                    An enterprise security team completes a comprehensive vulnerability assessment for a retail organization and generates a formal report containing an executive summary, scope and methodology, detailed technical findings with CVSS scores, affected asset listings, and a prioritized remediation roadmap. The CISO, who has no technical background, asks which single section of the report provides a high-level overview of the organization's overall risk posture, key risk themes, and number of critical findings without requiring deep technical knowledge to understand. Which section of a vulnerability assessment report is specifically designed for consumption by non-technical senior leadership?
                      Answered: 0/10

                      Related Posts

                      Leave a Comment

                      Your email address will not be published. Required fields are marked *

                      Scroll to Top