CEH EXAMINATION – PRACTICE QUESTIONS AND CORRECT
ANSWERS (VERIFIED ANSWERS) PLUS RATIONALES 2026 Q&A
| INSTANT DOWNLOAD PDF.
*Core Domains*
*Information Security*
*Vulnerability Analysis*
*System Hacking*
*Network and Perimeter Hacking*
*Web Application Hacking*
*Wireless Network Hacking*
*Mobile Platform Security*
*Cloud Computing*
*Cryptography*
*Introduction*
*The purpose of this assessment is to evaluate a candidate's p
methodologies and tools used by ethical hackers to identify an
vulnerabilities. This exam assesses a broad range of skills, i
reconnaissance, scanning, system exploitation, and the impleme
countermeasures. The structure consists of multiple-choice and
scenario-based questions designed to mirror the challenges fac
environments. Emphasis is placed on real-world application, et
and the ability to think critically when defending organizatio
unauthorized access and malicious cyber threats.*
1. Which phase of the hacking process involves gathering as
much information as possible about a target before attempting
an attack?
,A. Scanning
B. Gaining Access
C. Reconnaissance
D. Maintaining Access
🟢 C. Reconnaissance
🔴 RATIONALE: Reconnaissance is the preparatory phase where an
attacker seeks to gather information about a target’s network,
systems, and organizational structure.
2. A security analyst uses the command "nmap -sS -O
192.168.1.1". What type of scan is being performed?
A. TCP Connect Scan
B. SYN Stealth Scan
C. UDP Scan
D. Comprehensive Scan
🟢 B. SYN Stealth Scan
🔴 RATIONALE: The -sS flag in Nmap initiates a SYN scan, often
called a stealth scan because it does not complete the three-way
handshake, making it harder to log.
3. Which of the following is an example of passive footprinting?
A. Performing a traceroute to the target's web server
B. Using Shodan to find exposed devices
,C. Running a vulnerability scan with Nessus
D. Searching the company's website on the Wayback Machine
🟢 D. Searching the company's website on the Wayback Machine
🔴 RATIONALE: Passive footprinting involves gathering information
without directly interacting with the target's systems. Reviewing
cached web pages is non-intrusive.
4. An attacker uses a fraudulent email to trick an executive into
clicking a link that installs a keylogger. What is this specific
type of social engineering called?
A. Vishing
B. Spear Phishing
C. Tailgating
D. Whaling
🟢 D. Whaling
🔴 RATIONALE: Whaling is a specific form of spear phishing that
targets high-profile individuals, such as C-level executives or senior
management.
5. What is the default port used by the HTTPS protocol?
A. 80
B. 443
C. 8080
D. 22
, 🟢 B. 443
🔴 RATIONALE: Port 443 is the standard port for Secure Hypertext
Transfer Protocol (HTTPS), which provides encrypted communication
via SSL/TLS.
6. Which tool is most commonly used for banner grabbing to
identify a remote service's version?
A. Netcat
B. Wireshark
C. Snort
D. Metasploit
🟢 A. Netcat
🔴 RATIONALE: Netcat is a versatile networking tool that can be
used to connect to open ports and read the "banners" sent by
services, revealing software versions.
7. During a penetration test, you find that a server responds to
an ICMP Echo Request. What does this confirm?
A. The server is running a web service
B. The server is protected by a firewall
C. The host is live and reachable
D. The host has an open Telnet port
🟢 C. The host is live and reachable
🔴 RATIONALE: ICMP Echo Requests (pings) are used to verify that
ANSWERS (VERIFIED ANSWERS) PLUS RATIONALES 2026 Q&A
| INSTANT DOWNLOAD PDF.
*Core Domains*
*Information Security*
*Vulnerability Analysis*
*System Hacking*
*Network and Perimeter Hacking*
*Web Application Hacking*
*Wireless Network Hacking*
*Mobile Platform Security*
*Cloud Computing*
*Cryptography*
*Introduction*
*The purpose of this assessment is to evaluate a candidate's p
methodologies and tools used by ethical hackers to identify an
vulnerabilities. This exam assesses a broad range of skills, i
reconnaissance, scanning, system exploitation, and the impleme
countermeasures. The structure consists of multiple-choice and
scenario-based questions designed to mirror the challenges fac
environments. Emphasis is placed on real-world application, et
and the ability to think critically when defending organizatio
unauthorized access and malicious cyber threats.*
1. Which phase of the hacking process involves gathering as
much information as possible about a target before attempting
an attack?
,A. Scanning
B. Gaining Access
C. Reconnaissance
D. Maintaining Access
🟢 C. Reconnaissance
🔴 RATIONALE: Reconnaissance is the preparatory phase where an
attacker seeks to gather information about a target’s network,
systems, and organizational structure.
2. A security analyst uses the command "nmap -sS -O
192.168.1.1". What type of scan is being performed?
A. TCP Connect Scan
B. SYN Stealth Scan
C. UDP Scan
D. Comprehensive Scan
🟢 B. SYN Stealth Scan
🔴 RATIONALE: The -sS flag in Nmap initiates a SYN scan, often
called a stealth scan because it does not complete the three-way
handshake, making it harder to log.
3. Which of the following is an example of passive footprinting?
A. Performing a traceroute to the target's web server
B. Using Shodan to find exposed devices
,C. Running a vulnerability scan with Nessus
D. Searching the company's website on the Wayback Machine
🟢 D. Searching the company's website on the Wayback Machine
🔴 RATIONALE: Passive footprinting involves gathering information
without directly interacting with the target's systems. Reviewing
cached web pages is non-intrusive.
4. An attacker uses a fraudulent email to trick an executive into
clicking a link that installs a keylogger. What is this specific
type of social engineering called?
A. Vishing
B. Spear Phishing
C. Tailgating
D. Whaling
🟢 D. Whaling
🔴 RATIONALE: Whaling is a specific form of spear phishing that
targets high-profile individuals, such as C-level executives or senior
management.
5. What is the default port used by the HTTPS protocol?
A. 80
B. 443
C. 8080
D. 22
, 🟢 B. 443
🔴 RATIONALE: Port 443 is the standard port for Secure Hypertext
Transfer Protocol (HTTPS), which provides encrypted communication
via SSL/TLS.
6. Which tool is most commonly used for banner grabbing to
identify a remote service's version?
A. Netcat
B. Wireshark
C. Snort
D. Metasploit
🟢 A. Netcat
🔴 RATIONALE: Netcat is a versatile networking tool that can be
used to connect to open ports and read the "banners" sent by
services, revealing software versions.
7. During a penetration test, you find that a server responds to
an ICMP Echo Request. What does this confirm?
A. The server is running a web service
B. The server is protected by a firewall
C. The host is live and reachable
D. The host has an open Telnet port
🟢 C. The host is live and reachable
🔴 RATIONALE: ICMP Echo Requests (pings) are used to verify that
