CEH v13 Domain 3.1 Practice Test 004

This practice test covers Domain 3 (System Hacking Phases and Attack Techniques) Subdomain 1 (Vulnerability Analysis) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 3.1 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

A security analyst is tasked with performing a comprehensive vulnerability scan of a Windows-based enterprise network and needs a tool that combines network scanning with vulnerability checking, produces CVSS-scored findings, and outputs detailed remediation guidance through a web-based management interface. The organization's compliance team requires the tool to support both credentialed and uncredentialed scan profiles across thousands of hosts. Which tool is best suited for this assessment?

A. Nessus B. Metasploit C. Wireshark D. Burp Suite

Question 2

During a quarterly security audit, the compliance team asks the assessment staff to differentiate between two fundamental vulnerability assessment methodologies before selecting the right approach for their production environment. One methodology involves directly probing target systems by sending crafted packets to enumerate open ports and running services, while the other relies on observing existing network traffic and analyzing logs without generating any additional load on target hosts. Which methodology directly interacts with target systems to enumerate their attack surface?

A. Passive vulnerability assessment B. Active vulnerability assessment C. Threat modeling D. Architectural risk analysis

Question 3

Elijah is performing a black-box vulnerability scan against a DMZ server and notices his tool automatically identifies CVEs, classifies findings by severity, and maps each finding to a CVSS v3.1 score with detailed plugin output describing remediation steps. The tool's agent-based mode was also deployed on internal hosts to detect missing patches and locally exploitable privilege escalation opportunities that would not be visible from an external unauthenticated scan. Which tool is Elijah most likely using?

A. OpenVAS B. Aircrack-ng C. Nmap D. John the Ripper

Question 4

Select all that apply

The security team at a healthcare organization is preparing for a HIPAA compliance audit and must select two types of vulnerability assessments appropriate for their environment of clinical web applications and internal network infrastructure. They need methodologies that will surface both network-layer misconfigurations and application-layer weaknesses across their full attack surface before the auditors arrive. Which two types of vulnerability assessments should they conduct? (Choose two)

A. Network-based vulnerability assessment B. Social engineering assessment C. Application-based vulnerability assessment D. Physical security review E. Log aggregation audit

Question 5

Jane is reviewing a vulnerability assessment report and encounters a finding with a CVSS base score of 9.8 that is remotely exploitable without authentication, has active exploitation documented in the wild, and has no vendor-supplied patch currently available despite being publicly disclosed 48 hours ago. The affected server hosts customer payment card data, making immediate action mandatory. How should this vulnerability be classified in terms of remediation urgency and type?

A. Low-risk informational finding B. Critical zero-day vulnerability C. False positive finding D. Medium-severity design flaw

Question 6

Clark is conducting a vulnerability assessment for a manufacturing company and is provided with valid domain administrator credentials prior to launching his scans against the internal Windows environment. The scanner uses these credentials to authenticate to each endpoint, enumerate installed software versions, check patch levels against vendor databases, and identify locally exploitable conditions that would be completely invisible to an unauthenticated remote probe. Which scanning approach is Clark performing?

A. Unauthenticated external scan B. Credentialed vulnerability scan C. Manual exploitation D. Fuzzing assessment

Question 7

A penetration testing firm is engaged to validate whether vulnerabilities identified in an initial scanner report are actually exploitable before submitting findings to the client. The team uses an open-source platform with a modular exploit architecture that allows them to launch real attacks against confirmed vulnerable targets, obtain shells on compromised systems, and document proof-of-exploitation with screenshots and session output. Which tool is the team using?

A. Wireshark B. Nessus C. Metasploit Framework D. Burp Suite

Question 8

During a vulnerability assessment training session, the instructor asks participants to classify a scanner finding where an Apache HTTP server version matches a known CVE pattern, but the actual exploit for that CVE requires a specific non-default module that is confirmed absent on the target system. The finding appears in the report with a High severity rating, yet the system is not actually exposed to the described risk under its current configuration. What type of assessment finding is this?

A. True positive B. False positive C. True negative D. Confirmed critical finding

Question 9

Select all that apply

The CISO of a financial services company asks the vulnerability management team to identify which two industry-standard systems to include in their reporting workflow so that all discovered vulnerabilities are uniquely referenced with consistent identifiers and scored with severity metrics recognized across all security tools and vendor advisories. The team must select both the system that assigns unique identifiers to individual vulnerabilities and the system that provides a standardized framework for scoring their severity and exploitability characteristics. Which two systems should they include? (Choose two)

A. CVE B. PGP C. CVSS D. TLS E. LDAP

Question 10

Kevin is reviewing a vulnerability assessment report from an external vendor covering 500 enterprise hosts and must establish a remediation priority order before the Monday leadership briefing. The report categorizes all findings into Critical, High, Medium, Low, and Informational severity tiers based on CVSS scores, and his manager instructs him to begin with the findings that present the greatest immediate threat to organizational assets and data. Which findings should Kevin address first?

A. Informational findings B. Medium severity findings C. Critical severity findings D. Low severity findings

Related Posts

Leave a Comment Cancel Reply