Free practice test · no sign-up

EC-Council CEHFree Certified Ethical Hacker practice test

10 real EC-Council CEH practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 1,399questions whenever you’re ready. The EC-Council CEH passing score is 60–85% (cut score varies).

Question 1 of 10

An organization requires workers to swipe a badge and enter a personal identification number before entering a secured area. Which security concept does this combination best illustrate?

Answer key

All 10 EC-Council CEH questions & answers

Prefer to just read the answers and explanations? Here’s the full key for this free EC-Council CEH test.

Q1. An organization requires workers to swipe a badge and enter a personal identification number before entering a secured area. Which security concept does this combination best illustrate?

Correct answer: B. Multi-factor authentication

Multi-factor authentication combines two or more distinct verification methods — here, the badge represents something the user possesses, while the PIN represents something the user knows. Firewalls, intrusion detection systems, and encryption address different security problems and do not involve layered identity verification at entry points.

Q2. An attacker loads keylogger malware onto 50 USB drives disguised as media files, then drops them near an office building hoping curious employees will plug them in. Which phase of the Cyber Kill Chain does this tactic represent?

Correct answer: C. Delivery

Delivery covers any method used to transport a weaponized payload to the target — including dropped USB drives. Reconnaissance involves selecting and researching victims; Installation creates backdoors for persistent access; Actions on Objectives is where the attacker pursues their end goal such as data theft or destruction.

Q3. An adversary intercepts network traffic between two parties, modifies the packets, and forwards them to the intended recipient. Which element of the CIA triad is most directly violated?

Correct answer: A. Integrity

Integrity ensures that data remains accurate and unmodified; a man-in-the-middle attack that alters packets in transit directly undermines this property. Availability is the target of denial-of-service attacks, confidentiality is violated when unauthorized parties read protected data, and non-repudiation is not one of the three CIA pillars.

Q4. A security professional is authorized to probe a client's systems for weaknesses and reports findings to the client. Which type of activity does this scenario most accurately describe?

Correct answer: A. Penetration testing

Penetration testing is the broader term for authorized attempts to identify and exploit security weaknesses in a target environment. Black-box, white-box, and gray-box testing describe how much prior knowledge the tester has, whereas penetration testing is the overarching activity that encompasses all of them.

Q5. After compromising an initial workstation on a corporate network, a threat actor uses that machine to scan and breach four additional workstations, installing backdoors on each. How is the attacker's movement between machines best characterized?

Correct answer: D. East-west movement

East-west movement (also called lateral movement) describes an attacker pivoting between systems within the same internal network. North-south movement refers to data flowing between the internal network and an external destination. Dynamic movement is not a recognized term in network security parlance.

Q6. A threat actor embedded a phishing link in a PDF attachment, emailed it to employees, and an accountant clicked it, installing backdoor software. The attacker is now using that backdoor to remotely scan internal hosts for vulnerabilities. Which Cyber Kill Chain phase best describes the attacker's current activity?

Correct answer: A. Command & Control

Command & Control is the phase where an external system communicates with compromised hosts, giving the attacker active control inside the target network. Scanning is not an official Cyber Kill Chain phase; Weaponization precedes delivery of the payload; Delivery is when the malicious content reaches the victim — both occurred earlier in this scenario.

Q7. An attacker who has compromised an internal workstation uses it to exfiltrate data to a server they control on the internet. How is this type of network movement best described?

Correct answer: B. North-south movement

North-south movement describes data flowing between an internal (victim) network and an external network such as the internet. East-west or lateral movement describes pivoting between hosts inside the same environment. Dynamic movement is not a standard security term.

Q8. Before launching an attack, a threat actor develops a piece of custom malware specifically engineered to exploit a particular organization's systems. At which Cyber Kill Chain phase does this activity occur?

Correct answer: A. Weaponization

Weaponization is the phase in which an attacker selects or crafts the malicious payload — whether custom or off-the-shelf — that will be used against the target. Delivery is the transport of that payload; Exploitation is when the payload triggers on the target; Installation is when the malware establishes persistent access.

Q9. A flood of junk traffic overwhelms a web server, preventing legitimate customers from reaching the site. Which CIA triad attribute is being attacked?

Correct answer: C. Availability

A denial-of-service attack targets availability by consuming resources until legitimate requests can no longer be served. Confidentiality relates to preventing unauthorized data disclosure; integrity relates to data accuracy; non-repudiation is not part of the CIA triad.

Q10. Having already gained full system access, an attacker begins permanently deleting sensitive corporate documents — the stated goal of the intrusion. Which Cyber Kill Chain phase does this represent?

Correct answer: D. Actions on Objectives

Actions on Objectives is the final Cyber Kill Chain phase where the attacker carries out the intended goal — whether data destruction, exfiltration, or further intrusions. Reconnaissance is target selection; Delivery transports the payload; Installation establishes persistent backdoor access.

Exam facts and objectives sourced from the official EC-Council certification page. Last reviewed June 2026.

Ready for the full EC-Council CEH bank? Start free.

1,399 questions, timed mock exams, and missed-question review — 30 free questions, no card.

Start free trial
EC-Council CEH study guide & details →