CERTIFIED ETHICAL HACKER (CEH) EXAM – PRACTICE QUESTIONS AND CORRECT ANSWERS (VERIFIED
ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT DOWNLOAD PDF
Core Domains:
Information Security and Ethical Hacking Overview
Reconnaissance and Footprinting
Scanning Networks and Enumeration
Vulnerability Analysis
System Hacking and Malware Threats
Sniffing, Social Engineering, and Denial-of-Service
Session Hijacking and Evading IDS, Firewalls, and Honeypots
Hacking Web Servers, Web Applications, and Wireless Networks
Mobile Platforms, IoT, and OT Hacking
Cloud Computing and Cryptography
Introduction:
The Certified Ethical Hacker (CEH) credential validates an individual's proficiency in identifying vulnerabilities and
securing infrastructure using the tools and methodologies employed by malicious adversaries. This comprehensive
practice assessment mirrors the official exam's multiple-choice and scenario-based structure to measure critical
engineering and analytical capabilities. Candidates are evaluated on technical principles, compliance standards, and
defensive mitigation across modern attack vectors. Emphasizing real-world application, each scenario challenges
professionals to make risk-based decisions that safeguard operational integrity. Achieving mastery requires
synthesizing technical domain knowledge with strategic risk response under strict ethical frameworks.
,SECTION ONE: QUESTIONS 1–100
1. An ethical hacker is performing footprinting on an organization's network. They discover that the organization
uses an external DNS provider. Which DNS record should the analyst look for to identify the authorized mail
servers allowed to send email on behalf of the domain?
A. AAAA
B. TXT
C. PTR
D. CNAME
🟢 Correct answer B
🔴 RATIONALE: TXT records frequently host SPF (Sender Policy Framework) data, which specifies the mail servers
authorized to send email on behalf of a domain to prevent spoofing.
2. During an internal assessment, a security professional executes an Nmap scan against a target subnet using the
-sS flag. What is the explicit technical behavior of this scan type when interacting with an open port?
A. The scanner sends a SYN packet, receives a SYN-ACK, completes the handshake with an ACK, and tears down
the connection via RST.
B. The scanner sends a SYN packet, receives a SYN-ACK, and immediately sends a RST packet without completing
the three-way handshake.
C. The scanner sends an ACK packet and determines if the port is open based on the window size of the returned
RST.
D. The scanner sends a FIN packet and assumes the port is open if no response is received within the timeout
window.
🟢 Correct answer B
,🔴 RATIONALE: The SYN stealth scan (-sS) initiates a connection by sending a SYN packet and drops it with a RST
immediately upon receiving a SYN-ACK, preventing a full TCP handshake from completing.
3. An enterprise network administrator detects unauthorized changes to router configuration files. Investigation
reveals an attacker exploited a protocol that transmits management data in cleartext. Which protocol should be
replaced to mitigate this issue?
A. SNMPv3
B. SSH
C. HTTPS
D. SNMPv2
🟢 Correct answer D
🔴 RATIONALE: SNMPv2 transmits community strings and management data in cleartext, making it highly vulnerable
to sniffing, whereas SNMPv3 introduces cryptographic protection.
4. A security engineer notices an unusual volume of ICMP Echo Request packets originating from multiple external
spoofed IP addresses, all directed to the network's broadcast address. The internal hosts are flooded with replies,
exhausting bandwidth. What attack vector is described?
A. Smurf Attack
B. Fraggle Attack
C. SYN Flood
D. Slowloris
🟢 Correct answer A
🔴 RATIONALE: A Smurf attack utilizes spoofed ICMP Echo Requests sent to broadcast addresses to trick network
hosts into flooding the victim with replies.
, 5. While reviewing web application logs, a security analyst identifies the following input string in a search field query
parameter: ' UNION SELECT null, username, password FROM users--. What structural vulnerability does this
indicate?
A. Cross-Site Scripting
B. Command Injection
C. SQL Injection
D. Directory Traversal
🟢 Correct answer C
🔴 RATIONALE: The presence of the ' UNION SELECT syntax demonstrates an attempt to manipulate the backend
SQL statement to retrieve unauthorized data from the users table.
6. Under the Digital Millennium Copyright Act (DMCA), which provision provides specific legal protections to internet
service providers (ISPs) against copyright infringement liability incurred by their users?
A. Safe Harbor
B. Fair Use
C. Good Samaritan clause
D. Right to Be Forgotten
🟢 Correct answer A
🔴 RATIONALE: The DMCA Safe Harbor provision protects qualifying service providers from liability for passive user
infringements if they comply with takedown rules.
7. An attacker uses a rogue wireless access point configured with the same Service Set Identifier (SSID) as a
legitimate corporate network. Corporate laptops automatically connect to it due to a stronger signal strength.
What type of wireless attack is this?
ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT DOWNLOAD PDF
Core Domains:
Information Security and Ethical Hacking Overview
Reconnaissance and Footprinting
Scanning Networks and Enumeration
Vulnerability Analysis
System Hacking and Malware Threats
Sniffing, Social Engineering, and Denial-of-Service
Session Hijacking and Evading IDS, Firewalls, and Honeypots
Hacking Web Servers, Web Applications, and Wireless Networks
Mobile Platforms, IoT, and OT Hacking
Cloud Computing and Cryptography
Introduction:
The Certified Ethical Hacker (CEH) credential validates an individual's proficiency in identifying vulnerabilities and
securing infrastructure using the tools and methodologies employed by malicious adversaries. This comprehensive
practice assessment mirrors the official exam's multiple-choice and scenario-based structure to measure critical
engineering and analytical capabilities. Candidates are evaluated on technical principles, compliance standards, and
defensive mitigation across modern attack vectors. Emphasizing real-world application, each scenario challenges
professionals to make risk-based decisions that safeguard operational integrity. Achieving mastery requires
synthesizing technical domain knowledge with strategic risk response under strict ethical frameworks.
,SECTION ONE: QUESTIONS 1–100
1. An ethical hacker is performing footprinting on an organization's network. They discover that the organization
uses an external DNS provider. Which DNS record should the analyst look for to identify the authorized mail
servers allowed to send email on behalf of the domain?
A. AAAA
B. TXT
C. PTR
D. CNAME
🟢 Correct answer B
🔴 RATIONALE: TXT records frequently host SPF (Sender Policy Framework) data, which specifies the mail servers
authorized to send email on behalf of a domain to prevent spoofing.
2. During an internal assessment, a security professional executes an Nmap scan against a target subnet using the
-sS flag. What is the explicit technical behavior of this scan type when interacting with an open port?
A. The scanner sends a SYN packet, receives a SYN-ACK, completes the handshake with an ACK, and tears down
the connection via RST.
B. The scanner sends a SYN packet, receives a SYN-ACK, and immediately sends a RST packet without completing
the three-way handshake.
C. The scanner sends an ACK packet and determines if the port is open based on the window size of the returned
RST.
D. The scanner sends a FIN packet and assumes the port is open if no response is received within the timeout
window.
🟢 Correct answer B
,🔴 RATIONALE: The SYN stealth scan (-sS) initiates a connection by sending a SYN packet and drops it with a RST
immediately upon receiving a SYN-ACK, preventing a full TCP handshake from completing.
3. An enterprise network administrator detects unauthorized changes to router configuration files. Investigation
reveals an attacker exploited a protocol that transmits management data in cleartext. Which protocol should be
replaced to mitigate this issue?
A. SNMPv3
B. SSH
C. HTTPS
D. SNMPv2
🟢 Correct answer D
🔴 RATIONALE: SNMPv2 transmits community strings and management data in cleartext, making it highly vulnerable
to sniffing, whereas SNMPv3 introduces cryptographic protection.
4. A security engineer notices an unusual volume of ICMP Echo Request packets originating from multiple external
spoofed IP addresses, all directed to the network's broadcast address. The internal hosts are flooded with replies,
exhausting bandwidth. What attack vector is described?
A. Smurf Attack
B. Fraggle Attack
C. SYN Flood
D. Slowloris
🟢 Correct answer A
🔴 RATIONALE: A Smurf attack utilizes spoofed ICMP Echo Requests sent to broadcast addresses to trick network
hosts into flooding the victim with replies.
, 5. While reviewing web application logs, a security analyst identifies the following input string in a search field query
parameter: ' UNION SELECT null, username, password FROM users--. What structural vulnerability does this
indicate?
A. Cross-Site Scripting
B. Command Injection
C. SQL Injection
D. Directory Traversal
🟢 Correct answer C
🔴 RATIONALE: The presence of the ' UNION SELECT syntax demonstrates an attempt to manipulate the backend
SQL statement to retrieve unauthorized data from the users table.
6. Under the Digital Millennium Copyright Act (DMCA), which provision provides specific legal protections to internet
service providers (ISPs) against copyright infringement liability incurred by their users?
A. Safe Harbor
B. Fair Use
C. Good Samaritan clause
D. Right to Be Forgotten
🟢 Correct answer A
🔴 RATIONALE: The DMCA Safe Harbor provision protects qualifying service providers from liability for passive user
infringements if they comply with takedown rules.
7. An attacker uses a rogue wireless access point configured with the same Service Set Identifier (SSID) as a
legitimate corporate network. Corporate laptops automatically connect to it due to a stronger signal strength.
What type of wireless attack is this?
