Text preview & study summary

CEH - Vulnerability Assessment and Exploitation

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

Which scanning phase technique sends a **SYN packet** to a port and considers it open if a **SYN-ACK** is received, without completing the three-way handshake?

Answer choices

  • A. TCP Connect Scan

  • B. SYN Stealth Scan (Half-Open Scan) (Correct)

  • C. UDP Scan

  • D. XMAS Scan

Explanation

A SYN scan (Nmap -sS) is called a "stealth scan" or "half-open scan" because:

1. Attacker sends SYN

2. Target responds with SYN-ACK (port open) or RST (port closed)

3. Attacker sends RST — never completing the handshake

This avoids logging by some systems and is faster than a full TCP connect scan. It requires raw socket privileges (root/admin).

Question 2

**True or False:** **Banner grabbing** is an active reconnaissance technique that retrieves service version information from open ports.

Answer choices

  • A. True (Correct)

  • B. False

Explanation

Banner grabbing connects to a service (Telnet, HTTP, FTP, SSH) and reads the initial response banner, which typically contains service name, version number, and sometimes OS information. Tools: `netcat`, `telnet`, Nmap -sV, curl. This is active because it directly connects to the target service, potentially leaving connection logs.

Question 3

**True or False:** A **zero-day vulnerability** is one that has been publicly disclosed and a patch is available but not yet applied.

Answer choices

  • A. True

  • B. False (Correct)

Explanation

A zero-day vulnerability is one for which no patch exists yet — the vendor has had "zero days" to fix it. Once a patch is released, it is no longer technically a zero-day. An unpatched vulnerability (patch available but not applied) is serious but different from a true zero-day.

Question 4

**ASLR (Address Space Layout Randomization)** is a security mitigation designed to protect against:

Answer choices

  • A. SQL injection attacks

  • B. Phishing attacks

  • C. Buffer overflow exploits that rely on known memory addresses (Correct)

  • D. Brute force password attacks

Explanation

ASLR randomizes the memory addresses of the stack, heap, and libraries each time a program runs, making it difficult to predict where shellcode or return addresses should point. It directly counters buffer overflow attacks that rely on hardcoded memory addresses. Combined with DEP/NX (Data Execution Prevention) and stack canaries, ASLR makes exploitation significantly harder.

Question 5

What does a **XMAS scan** (Nmap -sX) send, and what does a closed port respond with per RFC 793?

Answer choices

  • A. SYN flag; closed port sends RST

  • B. FIN, URG, and PSH flags set; closed port sends RST/ACK (Correct)

  • C. No flags set (NULL); closed port sends SYN-ACK

  • D. ACK flag; closed port sends RST

Explanation

An XMAS scan "lights up" a packet with FIN, URG, and PSH flags (like a Christmas tree). Per RFC 793:

- Closed port: responds with RST/ACK

- Open port: no response

This works only on RFC-compliant systems. Windows ignores XMAS scans entirely, responding with RST regardless. XMAS scans can bypass some stateless firewalls.