Text preview & study summary
CEH - Vulnerability Assessment and Exploitation
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
Which scanning phase technique sends a **SYN packet** to a port and considers it open if a **SYN-ACK** is received, without completing the three-way handshake?
Explanation
A SYN scan (Nmap -sS) is called a "stealth scan" or "half-open scan" because:
1. Attacker sends SYN
2. Target responds with SYN-ACK (port open) or RST (port closed)
3. Attacker sends RST — never completing the handshake
This avoids logging by some systems and is faster than a full TCP connect scan. It requires raw socket privileges (root/admin).
Question 2
**True or False:** **Banner grabbing** is an active reconnaissance technique that retrieves service version information from open ports.
Explanation
Banner grabbing connects to a service (Telnet, HTTP, FTP, SSH) and reads the initial response banner, which typically contains service name, version number, and sometimes OS information. Tools: `netcat`, `telnet`, Nmap -sV, curl. This is active because it directly connects to the target service, potentially leaving connection logs.
Question 3
**True or False:** A **zero-day vulnerability** is one that has been publicly disclosed and a patch is available but not yet applied.
Explanation
A zero-day vulnerability is one for which no patch exists yet — the vendor has had "zero days" to fix it. Once a patch is released, it is no longer technically a zero-day. An unpatched vulnerability (patch available but not applied) is serious but different from a true zero-day.
Question 4
**ASLR (Address Space Layout Randomization)** is a security mitigation designed to protect against:
Explanation
ASLR randomizes the memory addresses of the stack, heap, and libraries each time a program runs, making it difficult to predict where shellcode or return addresses should point. It directly counters buffer overflow attacks that rely on hardcoded memory addresses. Combined with DEP/NX (Data Execution Prevention) and stack canaries, ASLR makes exploitation significantly harder.
Question 5
What does a **XMAS scan** (Nmap -sX) send, and what does a closed port respond with per RFC 793?
Explanation
An XMAS scan "lights up" a packet with FIN, URG, and PSH flags (like a Christmas tree). Per RFC 793:
- Closed port: responds with RST/ACK
- Open port: no response
This works only on RFC-compliant systems. Windows ignores XMAS scans entirely, responding with RST regardless. XMAS scans can bypass some stateless firewalls.
