CEH v13 Domain 4.5 Practice Test 004

This practice test covers Domain 4 (Network and Perimeter Hacking) Subdomain 5 (Evading IDS, Firewalls, and Honeypots) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 4.5 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

An enterprise penetration tester splits his attack payload across many tiny TCP segments so no single packet contains a recognizable signature. The sensor passes each fragment, and the target reassembles them into the malicious request. Which evasion technique is being used?

A. Credential stuffing B. DNS poisoning C. Banner grabbing D. Session splicing

Question 2

An analyst studies a security appliance that learns normal traffic patterns and flags deviations from that baseline as suspicious. It can catch novel attacks but generates more false positives than rule-based matching. Which detection method does this describe?

A. Anomaly-based detection B. Stateless packet filtering C. Signature-based detection D. NAT translation

Question 3

Kevin crafts probe packets with the TTL set so they expire one hop past the firewall, mapping which ports are filtered versus open behind it. He infers the rule set from the ICMP errors returned. Which technique is Kevin performing?

A. Smurf attack B. Firewalking C. ARP poisoning D. Rainbow table cracking

Question 4

A red teamer wraps command-and-control traffic inside outbound DNS queries to slip data past an egress firewall that permits only port 53. The exfiltration hides in seemingly normal name lookups. Which evasion technique does this represent?

A. Session hijacking B. MAC flooding C. OS fingerprinting D. DNS tunneling

Question 5

A penetration tester wants to disguise port scans by sending probes from numerous forged source addresses alongside the real one, so defenders cannot tell which scan is genuine. The sensor logs many origins at once. Which Nmap technique achieves this concealment?

A. TCP full connect scan B. Aggressive timing template C. Decoy scanning D. Service version detection

Question 6

A defender deploys a decoy system with fake services and data to lure attackers, study their methods, and divert them from production. The system has no legitimate business use, so any interaction is suspicious. Which technology is this?

A. Honeypot B. Reverse proxy C. VPN concentrator D. Load balancer

Question 7

Jane wants to identify whether a target is a deceptive decoy before engaging, so she checks for unusually consistent latency, suspiciously open services, and tells in tool fingerprints. She probes for artifacts that real systems would not exhibit. What is Jane attempting to do?

A. Conducting password spraying B. Running a buffer overflow C. Detecting honeypots D. Performing privilege escalation

Question 8

Select all that apply

A tester evaluates ways to slip malicious payloads past a signature-based sensor without changing what the target ultimately executes. He wants methods that alter the payload's appearance on the wire. Which two evasion techniques fit this goal? (Choose two)

A. Enabling verbose logging B. Disabling the attacker NIC C. Patching the target host D. Unicode/obfuscated encoding E. Polymorphic shellcode

Question 9

Select all that apply

Clark sends overlapping IP fragments with conflicting offsets, betting the sensor and the target reassemble them differently. The sensor sees benign data while the host assembles an exploit. Which evasion strategy exploits this reassembly mismatch? (Choose two)

A. Cross-site request forgery B. Insertion/evasion attack C. Golden ticket attack D. IP fragmentation overlap E. DHCP starvation

Question 10

A cloud security team finds attackers reaching an internal service by relaying traffic through a permitted proxy that the firewall trusts, bypassing direct block rules. The proxy forwards requests the firewall would otherwise deny. Which evasion approach does this illustrate?

A. Teardrop attack B. Vishing C. Pass-the-hash attack D. Proxy/HTTP tunneling bypass

Related Posts

Leave a Comment Cancel Reply