CEH v13 Domain 4.1 Practice Test 001

Welcome to this CEH v13 practice test!

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 1 (Sniffing) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 4.1 Practice Test 001

10 questions • 8 single-answer, 2 multi-select

CEH v13 (312-50v13) • Domain 4: Network and Perimeter Hacking — Sub-Domain 4.1: Sniffing

Question 1

A penetration tester connects to a switch-based network and wants to capture traffic destined for other hosts on the same subnet. The tester runs a tool that sends a flood of Ethernet frames with randomly generated, spoofed source MAC addresses to the switch. After a short period, the switch begins forwarding all frames out every port instead of only the intended destination port. What technique is the tester using, and what condition on the switch is being exploited?

A. ARP poisoning, exploiting the switch's gratuitous ARP acceptance behavior B. MAC flooding, exploiting the switch's CAM table overflow behavior C. DHCP starvation, exploiting the switch's address assignment exhaustion D. DNS poisoning, exploiting the switch's cache replacement behavior

Question 2

During a network security audit, an analyst reviews switch logs and notices that the CAM table is being repopulated extremely rapidly, entries are expiring and being replaced within seconds, and CPU utilization on the switch has spiked. No new legitimate devices have been added to the network. Which of the following countermeasures would MOST directly mitigate the attack that is likely occurring?

A. Enabling Dynamic ARP Inspection (DAI) on all VLANs B. Enabling port security with a maximum MAC address limit per port C. Deploying a DHCP snooping binding table D. Configuring static ARP entries on all hosts

Question 3

Kevin, a professional hacker, has gained access to a network segment and wants to intercept traffic between a victim workstation (192.168.1.50) and the default gateway (192.168.1.1). Kevin sends unsolicited ARP reply packets to the victim stating that the gateway's IP address (192.168.1.1) maps to Kevin's MAC address. He simultaneously sends ARP replies to the gateway claiming that the victim's IP (192.168.1.50) maps to Kevin's MAC address. What attack is Kevin performing, and what is the intended outcome?

A. MAC flooding; Kevin intends to force the switch into failopen mode to passively capture all broadcast traffic B. ARP poisoning; Kevin intends to position himself as a man-in-the-middle to intercept and relay traffic between the victim and the gateway C. DHCP spoofing; Kevin intends to assign himself as the default gateway by responding to DHCP discover packets before the legitimate server D. DNS poisoning; Kevin intends to redirect the victim's DNS queries to a rogue resolver under his control

Question 4

A penetration tester uses Ettercap in a switched network environment to intercept credentials transmitted over the network. After the attack succeeds, the tester reviews the Ettercap logs and observes plaintext usernames and passwords from an internal web application. Which sniffing technique did Ettercap most likely use to redirect traffic through the tester's machine on this switched network?

A. MAC flooding using randomly generated source addresses B. DHCP starvation followed by rogue DHCP server deployment C. ARP poisoning using gratuitous ARP replies targeting the victim and gateway D. Port mirroring configured via SNMP on the managed switch

Question 5

During an engagement, a pen tester observes the following Wireshark capture snippet: Frame 1: 192.168.1.100 → 255.255.255.255 DHCP Discover | Frame 2: 192.168.1.5 → 192.168.1.100 DHCP Offer (Gateway: 192.168.1.5, DNS: 192.168.1.5) | Frame 3: 192.168.1.200 → 192.168.1.100 DHCP Offer (Gateway: 192.168.1.1, DNS: 8.8.8.8) | Frame 4: 192.168.1.100 → 255.255.255.255 DHCP Request (selecting 192.168.1.5). The victim host accepted the offer from 192.168.1.5. The legitimate DHCP server is at 192.168.1.200. What attack is most likely occurring, and what is the attacker's goal?

A. ARP poisoning; the attacker wants to overwrite the victim's ARP cache to redirect layer-2 traffic B. DHCP starvation; the attacker is exhausting the legitimate DHCP server's address pool to cause a denial of service C. Rogue DHCP server attack; the attacker aims to become the victim's default gateway and DNS server to intercept and manipulate traffic D. MAC spoofing; the attacker is impersonating the legitimate DHCP server's MAC address to win the DHCP race condition

Question 6

Select all that apply

Clark, a professional hacker targeting a financial services firm, wants to perform DNS poisoning on the local network segment to redirect victim hosts to a fraudulent banking website. Clark has already achieved a man-in-the-middle position on the subnet using ARP poisoning. Which TWO techniques could Clark use to carry out DNS poisoning from his MitM position? (Choose two)

A. Intercept DNS query packets in transit and forge DNS response packets with the attacker-controlled IP before the legitimate DNS server responds B. Flood the local DNS server with recursive queries to exhaust its processing resources and cause it to cache invalid records C. Inject crafted DNS response packets into the victim's traffic stream, exploiting the lack of source port randomization or transaction ID validation D. Use MAC flooding to force the DNS server into broadcast mode so DNS responses are visible to all hosts E. Modify the victim's hosts file directly by exploiting a remote code execution vulnerability on the victim workstation

Question 7

An ethical hacker is tasked with testing network resilience against sniffing attacks on a flat Layer 2 corporate network. The tester wants to capture traffic using a passive approach — without sending any packets onto the network — by receiving a copy of all traffic passing through the switch. Which of the following methods would achieve this goal?

A. Configuring a SPAN (Switch Port Analyzer) port on the managed switch and connecting the capture host to that port B. Performing ARP poisoning between the target hosts and the default gateway using arpspoof C. Conducting MAC flooding using macof to force the switch into failopen mode D. Deploying a rogue DHCP server to redirect victim traffic through the capture host

Question 8

Jane is conducting a black-box penetration test and has captured network traffic using Wireshark on a compromised internal host. She filters the capture for SNMP traffic and observes numerous SNMPv1 GetRequest and GetResponse packets between a network management station and several routers. Jane extracts a critical piece of information from these packets that grants her read access to the SNMP-managed devices. What did Jane most likely extract from the captured SNMP traffic, and why is SNMPv1 vulnerable to this?

A. An MD5 authentication hash, because SNMPv1 uses weak hashing that is trivially reversible B. The SNMP community string, because SNMPv1 transmits community strings in plaintext with no encryption C. A session token, because SNMPv1 uses cookie-based authentication that can be replayed D. The SNMP engine ID, because SNMPv1 engine IDs are used directly as authentication credentials

Question 9

A security team detects unusual ARP traffic on their enterprise network. Upon investigation, they find that multiple hosts have identical MAC address entries for the default gateway in their ARP caches, and that MAC address belongs to a rogue machine. The team wants to implement a control that validates ARP packets against a trusted source before allowing them to update host ARP caches at the switch level. Which control should the security team implement?

A. 802.1X port-based Network Access Control to authenticate devices before they can send ARP traffic B. Dynamic ARP Inspection (DAI) using the DHCP snooping binding table as the trusted reference C. Private VLANs (PVLANs) to prevent hosts in the same VLAN from communicating directly at Layer 2 D. Static routing tables on all hosts to prevent gateway IP address reassignment via ARP

Question 10

Select all that apply

During a penetration test, a tester wants to detect whether the network contains any hosts operating in promiscuous mode — a condition that may indicate an active sniffing attack. Which TWO methods can be used to identify hosts running network interfaces in promiscuous mode? (Choose two)

A. Send ARP requests with a broadcast MAC destination and observe which hosts respond; hosts in promiscuous mode will respond to all ARP requests regardless of the target MAC B. Use Nmap with the `--script=sniffer-detect` NSE script to probe hosts on the subnet for promiscuous mode indicators C. Send ICMP echo requests with a deliberately incorrect destination MAC address (unicast to a fake MAC); hosts in promiscuous mode will still process and respond to these packets D. Run a DNS forward lookup for all hosts on the subnet; DNS reverse lookups generated by a sniffing host will reveal its IP address in server logs E. Flood the network with MAC flooding frames and observe which hosts experience a sudden increase in received traffic volume

ByThe Test Master

Related Post

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

Leave a Reply Cancel reply

You missed

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

CEH v13 Domain 9.1 Practice Test 001