CEH v13 Domain 4.1 Practice Test 003

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 1 (Sniffing) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 4.1 Practice Test 003

10 questions • 8 single-answer, 2 multi-select

Question 1

A penetration tester on a segmented enterprise network captures traffic by sending gratuitous ARP replies that associate the tester's MAC address with a legitimate host's IP address. The switch's ARP cache becomes poisoned, causing all traffic destined for the legitimate host to be forwarded instead to the tester's machine. Which attack technique is the penetration tester demonstrating?

A. ARP Poisoning B. MAC Flooding C. DHCP Starvation D. DNS Spoofing

Question 2

Clark is attacking a corporate network by flooding the DHCP server with thousands of DHCP DISCOVER requests, each containing a different spoofed source MAC address. The DHCP address pool is exhausted within minutes, and legitimate workstations can no longer obtain IP configuration. What type of sniffing-enabling attack is Clark executing?

A. MAC Flooding B. DHCP Starvation C. ARP Cache Poisoning D. Rogue DHCP Server

Question 3

Jane connects to a target switched network and begins transmitting Ethernet frames with thousands of randomized, spoofed source MAC addresses at high speed. The switch's CAM table fills to capacity and transitions into fail-open mode, broadcasting all received frames out of every port. What technique is Jane using to enable passive traffic interception on a switched network?

A. ARP Poisoning B. MAC Flooding C. IP Spoofing D. DNS Cache Poisoning

Question 4

A security analyst notices that multiple workstations on a corporate LAN are resolving legitimate domain names to incorrect IP addresses pointing to attacker-controlled servers. Network traffic analysis reveals forged DNS response packets with valid transaction IDs arriving before authentic responses from upstream resolvers. Which sniffing-facilitated attack technique does this scenario describe?

A. ARP Cache Poisoning B. MAC Flooding C. DNS Cache Poisoning D. DHCP Starvation

Question 5

Kevin intercepts local network traffic by crafting packets with a forged source IP address that matches a trusted internal server, establishing himself in the communication path between a client and that server. He uses this position to capture authentication tokens exchanged during the session. Which sniffing-related technique is Kevin exploiting?

A. DHCP Starvation B. IP Spoofing C. DNS Zone Transfer D. SYN Flooding

Question 6

Select all that apply

An enterprise security team discovers unauthorized traffic capture on their LAN and wants to implement controls that prevent both MAC flooding and ARP poisoning-based man-in-the-middle attacks simultaneously. The environment is a Cisco switched network with 802.1X already deployed. Which two countermeasures should the team prioritize to mitigate these specific sniffing vectors? (Choose two)

A. Dynamic ARP Inspection (DAI) B. Enabling Promiscuous Mode C. Port Security D. Disabling HTTPS on internal servers E. Replacing switches with hubs

Question 7

During a red team engagement, a security engineer deploys an unauthorized DHCP server on a target network segment immediately after exhausting the legitimate DHCP server's address pool through DHCP Starvation. Newly connected clients receive false default gateway and DNS server settings from the rogue server, routing all their outbound traffic through the attacker's machine. Which combined attack scenario is the red team executing?

A. MAC Flooding followed by DNS Poisoning B. DHCP Starvation followed by Rogue DHCP Server C. ARP Poisoning followed by Session Hijacking D. IP Spoofing followed by SSL Stripping

Question 8

A network security student is studying the fundamental difference between passive and active sniffing in terms of packet injection and network topology requirements. In a hub-based network, all connected devices receive every frame transmitted on the segment, requiring no additional manipulation to capture traffic. Which type of sniffing applies to this hub-based environment?

A. Active Sniffing B. Passive Sniffing C. MAC Flooding D. ARP Poisoning

Question 9

Select all that apply

A network forensics team investigating an incident suspects that one or more hosts on the corporate LAN are operating in promiscuous mode and actively sniffing traffic. The team also wants to detect whether any ARP poisoning is currently active on the segment. Which two detection techniques should the team apply to identify these sniffing activities? (Choose two)

A. Sending non-broadcast ICMP pings and monitoring for unexpected replies B. Enabling MAC flooding on core distribution switches C. Monitoring ARP traffic for duplicate IP-to-MAC mappings D. Increasing DHCP lease expiration timers E. Deploying a second rogue DHCP server

Question 10

Clark, a security analyst conducting a wireless assessment, uses Wireshark on an 802.11 network interface set to monitor mode to capture all 802.11 frames including management, control, and data frames from nearby access points without associating to any of them. The captured data reveals WPA2-PSK handshakes from multiple SSIDs in range. Which type of sniffing technique is Clark performing?

A. Active Sniffing B. ARP Poisoning C. Passive Sniffing D. MAC Flooding

Related Posts

Leave a Comment Cancel Reply