CEH v12 Study Guide 2026-2027 | 130+ Actual Exam
Practice Questions & Detailed Rationales | Certified Ethical
Hacker (312-50) Comprehensive Prep | Recon, Scanning,
Web Apps, IoT & Cloud Security
1. An ethical hacker is using Nmap to conduct a stealth scan. Which flag should be
used to perform a TCP SYN scan?
A) -sT
B) -sU
C) -sS
D) -sA
Answer: C) -sS
Explanation: The -sS flag performs a TCP SYN scan, also known as a half-open scan,
because it does not complete the three-way handshake, making it harder for simple logs to
detect.
2. Which phase of the Cyber Kill Chain involves the delivery of a malicious payload to
the target system via email or a USB drive?
A) Reconnaissance
B) Weaponization
C) Delivery
D) Exploitation
Answer: C) Delivery
Explanation: Delivery is the phase where the attacker transmits the malicious code to the
victim’s environment.
3. During a penetration test, you find an open port 53. What type of service is
typically associated with this port and what vulnerability might you test for?
A) HTTP / SQL Injection
B) DNS / Zone Transfer
C) SMTP / Open Relay
D) FTP / Anonymous Access
Answer: B) DNS / Zone Transfer
Explanation: Port 53 is used for DNS. A misconfigured DNS server may allow an AXFR
(Zone Transfer), revealing all internal host records to an attacker.
,4. An attacker uses a tool to capture packets on a switched network by flooding the
switch's CAM table with fake MAC addresses. This is known as:
A) ARP Spoofing
B) MAC Flooding
C) DHCP Starvation
D) DNS Poisoning
Answer: B) MAC Flooding
Explanation: MAC Flooding fills the Content Addressable Memory (CAM) table, forcing the
switch into "fail-open" mode where it acts like a hub and broadcasts all traffic.
5. Which Nmap scanning technique is used to bypass firewalls by sending packets
with no flags set?
A) Xmas Scan
B) FIN Scan
C) NULL Scan
D) ACK Scan
Answer: C) NULL Scan
Explanation: A NULL scan (-sN) sends a packet with no flags (0). According to RFC 793, if
a port is closed, the system should return a RST; if open, it ignores the packet.
6. Which of the following best describes "Social Engineering" in the context of ethical
hacking?
A) Exploiting a buffer overflow in a web server
B) Manipulating individuals into divulging confidential information
C) Brute-forcing a password using a dictionary file
D) Using a sniffer to capture cleartext credentials
Answer: B) Manipulating individuals into divulging confidential information
Explanation: Social engineering targets the "human element" rather than technical
vulnerabilities.
7. A security professional is tasked with identifying the physical location of a
wireless access point by driving around a neighborhood. This is called:
A) Bluesnarfing
B) Wardriving
C) Warwalking
D) Sidejacking
Answer: B) Wardriving
Explanation: Wardriving involves using a vehicle, a laptop, and a high-gain antenna to map
out wireless networks in a specific area.
,8. Which type of cryptography uses a public key to encrypt data and a private key to
decrypt it?
A) Symmetric Encryption
B) Asymmetric Encryption
C) Hashing
D) Steganography
Answer: B) Asymmetric Encryption
Explanation: Asymmetric (Public Key) encryption uses a key pair; anything encrypted with
the public key can only be decrypted by the corresponding private key.
9. In a SQL Injection attack, which of the following strings is commonly used to test if
a database field is vulnerable?
A) alert('XSS')
B) ' OR 1=1 --
C) ../../etc/passwd
D) %20
Answer: B) ' OR 1=1 --
Explanation: This string uses a tautology (1=1 is always true) and a comment symbol (--)
to bypass authentication or extract data.
10. You receive an ICMP Echo Reply from a target host after sending an Echo
Request. Which Nmap flag was likely used to perform this simple "ping sweep"?
A) -sn
B) -sO
C) -p80
D) -Pn
Answer: A) -sn
Explanation: The -sn flag (formerly -sP) tells Nmap to perform a ping sweep only, without
scanning ports.
11. An attacker gains access to a web server and modifies the local 'hosts' file on a
victim's machine to redirect them to a fake banking site. This is:
A) Phishing
B) Pharming
C) Vishing
D) Whaling
Answer: B) Pharming
Explanation: Pharming redirects victims to malicious websites by poisoning DNS or
modifying local host files, often without any direct interaction from the user.
, 12. Which tool is commonly used for network sniffing and can perform "active"
sniffing by conducting ARP poisoning?
A) Wireshark
B) Cain & Abel
C) Nmap
D) Nessus
Answer: B) Cain & Abel
Explanation: While Wireshark is a passive sniffer, Cain & Abel is a multipurpose tool
capable of active attacks like ARP poisoning.
13. A hacker is trying to crack a WPA2 wireless password. Which of the following is
required to begin an offline dictionary attack?
A) The SSID of the network
B) The 4-way handshake
C) The IP address of the router
D) A WPS PIN
Answer: B) The 4-way handshake
Explanation: To crack WPA2-PSK, an attacker must capture the 4-way handshake (often
by de-authenticating a user) and then use a dictionary to find a matching hash.
14. Which document defines the boundaries, goals, and legal permissions for a
penetration test?
A) NDA
B) SLA
C) Rules of Engagement (ROE)
D) Liability Insurance
Answer: C) Rules of Engagement (ROE)
Explanation: The ROE specifies exactly what can be tested, when it can be tested, and
what techniques are prohibited.
15. An attacker uses a proxy server to hide their IP address while performing a
vulnerability scan. What is the primary purpose of this?
A) To speed up the scan
B) To bypass an Intrusion Detection System (IDS)
C) To maintain anonymity and bypass IP-based blocks
D) To encrypt the scanning traffic
Answer: C) To maintain anonymity and bypass IP-based blocks
Explanation: Proxies act as intermediaries, masking the attacker's true source IP from the
target.
Practice Questions & Detailed Rationales | Certified Ethical
Hacker (312-50) Comprehensive Prep | Recon, Scanning,
Web Apps, IoT & Cloud Security
1. An ethical hacker is using Nmap to conduct a stealth scan. Which flag should be
used to perform a TCP SYN scan?
A) -sT
B) -sU
C) -sS
D) -sA
Answer: C) -sS
Explanation: The -sS flag performs a TCP SYN scan, also known as a half-open scan,
because it does not complete the three-way handshake, making it harder for simple logs to
detect.
2. Which phase of the Cyber Kill Chain involves the delivery of a malicious payload to
the target system via email or a USB drive?
A) Reconnaissance
B) Weaponization
C) Delivery
D) Exploitation
Answer: C) Delivery
Explanation: Delivery is the phase where the attacker transmits the malicious code to the
victim’s environment.
3. During a penetration test, you find an open port 53. What type of service is
typically associated with this port and what vulnerability might you test for?
A) HTTP / SQL Injection
B) DNS / Zone Transfer
C) SMTP / Open Relay
D) FTP / Anonymous Access
Answer: B) DNS / Zone Transfer
Explanation: Port 53 is used for DNS. A misconfigured DNS server may allow an AXFR
(Zone Transfer), revealing all internal host records to an attacker.
,4. An attacker uses a tool to capture packets on a switched network by flooding the
switch's CAM table with fake MAC addresses. This is known as:
A) ARP Spoofing
B) MAC Flooding
C) DHCP Starvation
D) DNS Poisoning
Answer: B) MAC Flooding
Explanation: MAC Flooding fills the Content Addressable Memory (CAM) table, forcing the
switch into "fail-open" mode where it acts like a hub and broadcasts all traffic.
5. Which Nmap scanning technique is used to bypass firewalls by sending packets
with no flags set?
A) Xmas Scan
B) FIN Scan
C) NULL Scan
D) ACK Scan
Answer: C) NULL Scan
Explanation: A NULL scan (-sN) sends a packet with no flags (0). According to RFC 793, if
a port is closed, the system should return a RST; if open, it ignores the packet.
6. Which of the following best describes "Social Engineering" in the context of ethical
hacking?
A) Exploiting a buffer overflow in a web server
B) Manipulating individuals into divulging confidential information
C) Brute-forcing a password using a dictionary file
D) Using a sniffer to capture cleartext credentials
Answer: B) Manipulating individuals into divulging confidential information
Explanation: Social engineering targets the "human element" rather than technical
vulnerabilities.
7. A security professional is tasked with identifying the physical location of a
wireless access point by driving around a neighborhood. This is called:
A) Bluesnarfing
B) Wardriving
C) Warwalking
D) Sidejacking
Answer: B) Wardriving
Explanation: Wardriving involves using a vehicle, a laptop, and a high-gain antenna to map
out wireless networks in a specific area.
,8. Which type of cryptography uses a public key to encrypt data and a private key to
decrypt it?
A) Symmetric Encryption
B) Asymmetric Encryption
C) Hashing
D) Steganography
Answer: B) Asymmetric Encryption
Explanation: Asymmetric (Public Key) encryption uses a key pair; anything encrypted with
the public key can only be decrypted by the corresponding private key.
9. In a SQL Injection attack, which of the following strings is commonly used to test if
a database field is vulnerable?
A) alert('XSS')
B) ' OR 1=1 --
C) ../../etc/passwd
D) %20
Answer: B) ' OR 1=1 --
Explanation: This string uses a tautology (1=1 is always true) and a comment symbol (--)
to bypass authentication or extract data.
10. You receive an ICMP Echo Reply from a target host after sending an Echo
Request. Which Nmap flag was likely used to perform this simple "ping sweep"?
A) -sn
B) -sO
C) -p80
D) -Pn
Answer: A) -sn
Explanation: The -sn flag (formerly -sP) tells Nmap to perform a ping sweep only, without
scanning ports.
11. An attacker gains access to a web server and modifies the local 'hosts' file on a
victim's machine to redirect them to a fake banking site. This is:
A) Phishing
B) Pharming
C) Vishing
D) Whaling
Answer: B) Pharming
Explanation: Pharming redirects victims to malicious websites by poisoning DNS or
modifying local host files, often without any direct interaction from the user.
, 12. Which tool is commonly used for network sniffing and can perform "active"
sniffing by conducting ARP poisoning?
A) Wireshark
B) Cain & Abel
C) Nmap
D) Nessus
Answer: B) Cain & Abel
Explanation: While Wireshark is a passive sniffer, Cain & Abel is a multipurpose tool
capable of active attacks like ARP poisoning.
13. A hacker is trying to crack a WPA2 wireless password. Which of the following is
required to begin an offline dictionary attack?
A) The SSID of the network
B) The 4-way handshake
C) The IP address of the router
D) A WPS PIN
Answer: B) The 4-way handshake
Explanation: To crack WPA2-PSK, an attacker must capture the 4-way handshake (often
by de-authenticating a user) and then use a dictionary to find a matching hash.
14. Which document defines the boundaries, goals, and legal permissions for a
penetration test?
A) NDA
B) SLA
C) Rules of Engagement (ROE)
D) Liability Insurance
Answer: C) Rules of Engagement (ROE)
Explanation: The ROE specifies exactly what can be tested, when it can be tested, and
what techniques are prohibited.
15. An attacker uses a proxy server to hide their IP address while performing a
vulnerability scan. What is the primary purpose of this?
A) To speed up the scan
B) To bypass an Intrusion Detection System (IDS)
C) To maintain anonymity and bypass IP-based blocks
D) To encrypt the scanning traffic
Answer: C) To maintain anonymity and bypass IP-based blocks
Explanation: Proxies act as intermediaries, masking the attacker's true source IP from the
target.
