Log in Start practising free
Certified Ethical Hacker (CEH)

Scanning & Enumeration

34 free practice questions with explanations

Practise all 34 questions free →

PassNova has 34 free Certified Ethical Hacker (CEH) practice questions on Scanning & Enumeration, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Scanning & Enumeration: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 34 free in the browser.

  1. In the Nmap TCP three-way-handshake context, which scan type completes the full handshake and is therefore more likely to be logged by the target?

    • A TCP connect scan (-sT)
    • B FIN scan (-sF)
    • C Null scan (-sN)
    • D SYN scan (-sS)

    Answer: The TCP connect scan (-sT) uses the OS connect() call to complete the full three-way handshake, which is reliably logged, whereas a SYN scan never finishes the handshake.

  2. Which Nmap option is used to attempt remote operating-system detection by analysing TCP/IP stack responses?

    • A -O
    • B -p-
    • C -Pn
    • D -sV

    Answer: The -O flag enables Nmap OS detection, which fingerprints the target by comparing TCP/IP stack behaviour against a database of known signatures.

  3. During a SYN (half-open) scan, how does Nmap conclude that a port is OPEN?

    • A It receives no response at all
    • B It receives an ICMP port-unreachable message
    • C It receives a SYN/ACK in response to its SYN probe
    • D It receives an RST/ACK in response to its SYN probe

    Answer: A SYN/ACK reply to the initial SYN indicates the port is open; Nmap then sends an RST to tear down the connection before the handshake completes.

  4. An attacker enumerates user accounts and shares over TCP port 445. Which protocol is being targeted?

    • A SMB
    • B SMTP
    • C LDAP
    • D SNMP

    Answer: Server Message Block (SMB) operates over TCP port 445 and is commonly enumerated to reveal shares, users, and groups on Windows systems.

  5. Which default community string is frequently abused to enumerate device information via SNMP version 1/2c?

    • A root
    • B anonymous
    • C admin
    • D public

    Answer: Many devices ship with the default read-only SNMP community string 'public', allowing attackers to query system information if it is left unchanged.

  6. What is the purpose of an Nmap idle (zombie) scan using the -sI option?

    • A To flood the target with SYN packets
    • B To crack the target's SSH keys
    • C To perform a DNS zone transfer
    • D To scan a target while spoofing the source as a third-party idle host, hiding the attacker's IP

    Answer: The idle scan uses a predictable IP-ID sequence on a third-party 'zombie' host to probe a target, so the scan appears to originate from the zombie rather than the attacker.

Start practising Scanning & Enumeration →
More Certified Ethical Hacker (CEH) topics

Practise another topic

Footprinting & Reconnaissance35 questions System Hacking & Malware35 questions Wireless, Cryptography & Cloud34 questions Sniffing, Social Engineering & DoS34 questions Web, Application & SQL Injection Attacks28 questions
← Back to Certified Ethical Hacker (CEH)