EC-Council Exams Sample Practice Tests

Sample Exam
CEH exam practice tests are available from PrepLogic at

1. What does "message repudiation" refer to in the realm of e-mail security?

a.      Message repudiation means an user can validate which mail server or servers a message was passed through

b.      Message repudiation means an user can claim damages for a mail message that damaged their reputation

c.      Message repudiation means a recipient can be sure that a message was sent from a particular person

d.      Message repudiation means a recipient can be sure that a message was sent from a certain  host

e.       Message repudiation means a sender can claim they did not actually send a particular message


2. How does traceroute map the route that a packet travels from point A to point B?

a.      It uses TCP Timestamp packet that will elicit a time exceeded in transit message

b.      It uses a protocol that will be rejected at the gateways on its way to its destination

c.      It manipulates the values of TTL parameter packet to elicit a time exceeded in transit message

d.      It manipulates flags within packets to force gateways into generating error messages


3. Snort has been used to capture packets on the network. On studying the packets, the SysAdmin finds it to be abnormal. If you were the SysAdmin, why would you find this abnormal?

(Note: The candidate is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from sniff dump)

05/20-17:0645.061034 -->
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq:0xA1D95  Ack:0x53  Win: 0x400

What is suspicious about this attack?

a.      This is not a spoofed packet as the IP stack has increasing numbers for the three flags

b.      This is BackOriffice activity as the scan comes from port 31337

c.      The attacker wants to avoid creating a sub-carrier connection that is not normally valid

d.      The packets were created by a tool and not from a standard TCP/IP stack


4. According to CEH methodology, what is the next step to be performed after "Footprinting"?

a.       Enumeration

b.      Scanning

c.      System Hacking

d.      Social Engineering 

e.      Denial of Service

5. While performing a ping weep of a subnet you receive an ICMP Type 3/Code 13 for all the pings sent out. What is the most likely cause behind this response?

a.       The firewall is dropping packets

b.      The Network IDS is dropping the packets

c.      A router is blocking ICMP

d.      The host does not respond to ICMP packets


6. Jessica would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following scans would be the most accurate and reliable?

a.      A half scan

b.      A UDP scan

c.      A TCP Connect scan

d.      A FIN scan


7. What is Form Scalpel used for?

a.      Dissecting HTML Forms

b.      Dissecting SQL Forms

c.      Analysis of Access Database Forms

d.      Troubleshooting Netscap Forms

e.      Dissecting ASP Forms


8. In an attempt to secure his Wireless network, Jason turns off broadcasting of the SSID. He concludes that since his AP requires the client computer to have the proper SSID, it would prevent others from connecting to the Wireless network. Unfortunately unauthorized users are still connecting to his Wireless network. Why do you think this is possible?

a.       Jason forgot to turn off the DHCP broadcasting

b.      All AP are shipped with a default SSID

c.      The SSID is still sent inside both client AP packets

d.      Jason's solution only works in ad-hoc mode


9. Which of the following is one of the key features found in a worm but not seen in a Virus?

a.      The payload is very small, usually below 800 bytes

b.      It is self-replicating without the need for user intervention

c.      It does not have the ability to propagate on its own

d.     They are difficult to detect by AV signatures


10. If you perform a port scan with a TCP ACK packet, what should an Open port return?

a.       RST

b.      No Reply

c.      SYN/ACK

d.      FIN


11. You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2 tool, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process called?

a.      Footprinting

b.      Firewalking

c.      Enumeration

d.      Idle Scanning


12. The Programmers on your team are analyzing the free open source software being used to run FTP services on a server. They notice that there is an excessive number of fgets() and gets() on the source code. These C/C++ functions do not check bounds. What kind of attack is this program susceptible to?

a.      Buffer Overflows

b.      Denial of Service

c.      Shatter Attack

d.     CrashTin Attack



1. Ans: E

2. Ans: c

3. Ans: b

4. Ans: b

5. Ans: c

6. Ans: c

7. Ans: a

8. Ans: c

9. Ans: b

10. Ans: a

11. Ans: b

12. Ans: a