CertGrid
Security Certification

EC-Council CEH (Certified Ethical Hacker) Practice Exam

Validates ethical hacking knowledge across reconnaissance and scanning, enumeration, vulnerability analysis, system hacking and malware, sniffing, social engineering, DoS, session hijacking, web and wireless attacks, mobile/IoT/OT, cloud, and cryptography.

Practice 750 exam-style EC-Council CEH (Certified Ethical Hacker) questions with full answer explanations, then take timed mock exams that score like the real thing.

750
Practice questions
125
On the real exam
700
Passing score
240 min
Exam length

Question bank reviewed Jul 2026.

What the EC-Council CEH (Certified Ethical Hacker) exam covers

Free EC-Council CEH (Certified Ethical Hacker) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 750.

  1. Question 1Information Security and Ethical Hacking Overview

    In the CIA triad, which element is directly compromised when an attacker alters the amount field of a bank transfer message in transit without authorization?

    • AConfidentiality
    • BIntegrityCorrect
    • CAvailability
    • DNon-repudiation
    ✓ Correct answer: B

    Integrity ensures that data is not modified in an unauthorized or undetected manner. Changing the value of a transfer message tampers with the accuracy and trustworthiness of the data, which is precisely what integrity protects.

    Why the other options are wrong
    • AConfidentiality concerns preventing unauthorized disclosure or reading of data, not its modification.
    • CAvailability concerns ensuring systems and data are accessible when needed, which is not the issue when a value is silently changed.
    • DNon-repudiation is a supporting property (proof of origin/action) and is not one of the three core CIA triad elements.
  2. Question 2Reconnaissance TechniquesSelect all that apply

    Which TWO are effective countermeasures to reduce an organization's footprinting exposure? (Choose TWO)

    • AProvide security-awareness training so employees limit sensitive information shared publicly and on social mediaCorrect
    • BEnable WHOIS privacy and remove unnecessary details from public recordsCorrect
    • CPublish complete internal network diagrams on the public website
    • DList exact software versions in all external job postings
    ✓ Correct answer: A, B

    Effective footprinting countermeasures focus on reducing the public information available about the organization. Security-awareness training teaches staff not to over-share technical and organizational details on social media and in forums, while enabling WHOIS privacy and pruning public records denies attackers registrant contacts and infrastructure clues. Together they shrink the attack surface exposed to OSINT.

    Why the other options are wrong
    • CPublish complete internal network diagrams is incorrect because exposing topology hands attackers a detailed map, increasing rather than reducing footprinting exposure.
    • DList exact software versions in all external job postings is incorrect because disclosing precise versions reveals the technology stack and known-vulnerability targets, worsening exposure.
  3. Question 3Reconnaissance Techniques

    Which NTP query, when responded to by a vulnerable server, can disclose a list of hosts that recently communicated with the server?

    • AmonlistCorrect
    • BAXFR
    • Cgetbulk
    • Denumdomusers
    ✓ Correct answer: A

    The legacy NTP monlist control query returns a list of the most recent hosts that contacted the NTP server, which can expose internal client addresses and be abused for amplification attacks. Disabling monlist, upgrading NTP, and restricting queries with proper access controls are the recommended countermeasures.

    Why the other options are wrong
    • BAXFR is a DNS zone transfer request, not an NTP command
    • Cgetbulk is an SNMP operation, not an NTP query
    • Denumdomusers is an rpcclient/MSRPC function, not an NTP query
  4. Question 4System Hacking Phases and Attack Techniques

    Which of the following is the strongest reason that reusing passwords across sites makes credential stuffing attacks effective?

    • AA password breached at one site can be replayed against the user's other accountsCorrect
    • BPassword reuse makes hashes uncrackable
    • CReused passwords are automatically salted everywhere
    • DReuse forces attackers to brute-force every account individually
    ✓ Correct answer: A

    Credential stuffing takes username-password pairs leaked from one breach and automatically tries them on other services. Because users reuse credentials, one leak compromises many accounts. Unique passwords and MFA are the primary defenses.

    Why the other options are wrong
    • BReuse has no effect on whether a hash is crackable; it increases exposure.
    • CSalting is a per-site server-side choice and is not guaranteed by reuse.
    • DStuffing avoids brute force by replaying known valid credentials, which reuse enables.
  5. Question 5System Hacking Phases and Attack Techniques

    Which detection strategy best identifies a rootkit that hides a malicious process from Task Manager and the standard process API?

    • AComparing the process list obtained via standard APIs with one enumerated by directly walking kernel structures, and investigating discrepanciesCorrect
    • BChecking the system clock accuracy
    • CVerifying the desktop wallpaper has not changed
    • DCounting the number of installed fonts
    ✓ Correct answer: A

    A rootkit that unlinks or hooks to hide a process will still leave it running in the kernel's actual scheduling structures. Enumerating processes both through the normal API and by directly walking low-level kernel structures, then comparing the two lists, reveals any process visible to the kernel but hidden from user tools, exposing the rootkit's concealment.

    Why the other options are wrong
    • BClock accuracy has no bearing on hidden processes.
    • CWallpaper changes are cosmetic and unrelated to process hiding.
    • DInstalled font counts provide no insight into concealed processes.
  6. Question 6Network and Perimeter Hacking

    Which of the following is a recommended technical mitigation specifically against TCP SYN flood attacks?

    • AEnabling SYN cookies on the serverCorrect
    • BIncreasing the monitor screen resolution
    • CDisabling all logging
    • DShortening user passwords
    ✓ Correct answer: A

    SYN cookies encode connection state into the sequence number sent in the SYN-ACK, so the server does not reserve a backlog entry until it receives a valid ACK. This prevents the half-open connection table from being exhausted by a SYN flood.

    Why the other options are wrong
    • BScreen resolution has no effect on network-layer DoS resistance.
    • CDisabling logging harms detection and response and does nothing to stop a SYN flood.
    • DPassword length is irrelevant to defending against a SYN flood.
  7. Question 7Web Application Hacking

    During footprinting, an ethical hacker enumerates the directories and files available on a web server by requesting common paths and observing responses. What is the most appropriate defensive response to this activity?

    • APublish a full sitemap listing every internal file
    • BRestrict access to sensitive directories, disable listing, and monitor for enumeration patternsCorrect
    • CDisable logging to save disk space
    • DReturn HTTP 200 for every request regardless of the resource
    ✓ Correct answer: B

    Directory and file enumeration probes for hidden or sensitive resources. Defenders should enforce access controls on sensitive paths, disable directory browsing, remove unnecessary files, and monitor logs or a WAF for enumeration signatures so scanning can be detected and throttled.

    Why the other options are wrong
    • APublishing every internal file hands attackers a map and worsens exposure.
    • CDisabling logging removes the very evidence needed to detect enumeration.
    • DReturning 200 for everything is not a real control and can break the application.
  8. Question 8Web Application Hacking

    What is the primary security benefit of applying the principle of least privilege to the database account used by a web application?

    • AIt limits the damage an attacker can do if a SQL injection is successfully exploitedCorrect
    • BIt prevents any SQL injection from being detected
    • CIt encrypts all data stored in the database
    • DIt makes the application immune to cross-site scripting
    ✓ Correct answer: A

    Least privilege does not stop injection from occurring, but it constrains what an exploited query can accomplish. If the application account can only read specific tables and cannot drop objects, create users, or read system tables, an attacker who injects successfully is far more limited. Combined with parameterized queries as the primary control, least privilege minimizes the potential impact of any residual flaw.

    Why the other options are wrong
    • BLeast privilege restricts capability, but it does not prevent injection from being detected or attempted.
    • CEncryption at rest is a separate control; least privilege governs account permissions, not encryption.
    • DLeast privilege on the database account has no effect on client-side cross-site scripting vulnerabilities.
  9. Question 9Mobile, IoT, and OT Hacking

    On modern Android versions, the runtime permission model requires that an app request access to sensitive resources such as location or contacts at the time it needs them, and the user may grant or deny each request. What is the main security benefit of this model compared to granting all permissions at install time?

    • AIt removes the need for any application sandboxing
    • BIt supports least privilege by letting users grant only the specific permissions actually needed, in contextCorrect
    • CIt automatically encrypts all app data with a user password
    • DIt prevents the app from ever being uninstalled
    ✓ Correct answer: B

    With runtime permissions, dangerous permissions are requested when the feature is used, giving users context to decide and the ability to deny or later revoke access. This enforces least privilege far better than the older all-or-nothing install-time model, limiting how much data or capability a malicious or over-reaching app can obtain. Users can also review and change permissions in settings at any time.

    Why the other options are wrong
    • AThe permission model complements the sandbox; it does not remove the need for sandboxing.
    • CRuntime permissions govern resource access, not automatic password-based encryption of app data.
    • DPermissions have nothing to do with preventing uninstallation.
  10. Question 10Cloud Computing

    Which statement BEST describes why misconfigured cloud storage buckets (such as object storage set to public) are a leading cause of cloud data breaches?

    • AThe cloud provider intentionally exposes buckets by default for performance
    • BA customer misconfiguration can make sensitive objects readable by anyone on the internet without authenticationCorrect
    • CObject storage cannot support any access controls
    • DEncryption is impossible for cloud storage
    ✓ Correct answer: B

    Cloud object storage supports fine-grained access policies, but a customer can inadvertently set a bucket or its objects to allow public or anonymous read access. Because storage endpoints are internet-reachable, a single misconfiguration can expose large volumes of sensitive data to anyone who discovers the URL, requiring no authentication. This is why storage misconfiguration consistently ranks among the top causes of cloud data exposure, and it is a customer responsibility under the shared responsibility model.

    Why the other options are wrong
    • AProviders default new buckets to private; public exposure results from customer configuration changes, not provider intent.
    • CObject storage supports rich access controls such as IAM policies, bucket policies, and ACLs.
    • DEncryption at rest and in transit is fully supported and commonly enabled for cloud storage.

EC-Council CEH (Certified Ethical Hacker) practice exam FAQ

How many questions are in the EC-Council CEH (Certified Ethical Hacker) practice exam on CertGrid?

CertGrid has 750 practice questions for EC-Council CEH (Certified Ethical Hacker), covering 9 exam domains. The real EC-Council CEH (Certified Ethical Hacker) exam has about 125 questions.

What is the passing score for EC-Council CEH (Certified Ethical Hacker)?

The EC-Council CEH (Certified Ethical Hacker) exam passing score is 700, and you have about 240 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official EC-Council CEH (Certified Ethical Hacker) exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of EC-Council CEH (Certified Ethical Hacker), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice EC-Council CEH (Certified Ethical Hacker) for free?

Yes. You can start practicing EC-Council CEH (Certified Ethical Hacker) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.