Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CEH Practical Practice Questions

Pass your EC-Council Certified Ethical Hacker Practical (312-50 Practical) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
EC-Council does not publicly report pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which AWS service stores temporary credentials available to EC2 instances via the metadata endpoint at 169.254.169.254 and is frequently abused via SSRF?

A
B
C
D
to track
Same family resources

Explore More EC-Council Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CEH

Practice Questions
1 blog

CND

Practice Questions

EC-Council Certified Application Security Engineer (CASE .NET 312-95 / Java 312-96)

Practice Questions

EC-Council Certified Blockchain Professional (CBP)

Practice Questions

EC-Council Certified Chief Information Security Officer (CCISO 712-50)

Practice Questions

EC-Council Certified Cloud Security Engineer (CCSE 312-40)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCEH v13 in 2026: A 12-Week Study System That Balances Theory, Labs, and Exam Speed15 min read
2026 Statistics

Key Facts: CEH Practical Exam

20

Lab Challenges

Hands-on Cyber Range

70%

Passing Score

14 of 20 challenges

6 hrs

Time Limit

Live proctored exam

$550

Exam Fee

Per attempt

3 yrs

Validity

Recertify with ECE credits

Aspen

Cyber Range

EC-Council platform

The EC-Council CEH Practical (312-50 Practical) is a 6-hour, 20-challenge hands-on certification exam delivered live through the Aspen Cyber Range, with a 70% pass mark and a $550 fee. It validates real-world ethical hacking skills across reconnaissance, system hacking, network and perimeter attacks, web application hacking, and wireless/cloud/cryptography. This is a live practical assessment, not a multiple-choice test, so our 100 free MCQs are conceptual prep that reinforces the tooling, commands, and methodology you will need on the range. Pair these questions with hands-on lab time on Kali Linux, Metasploit, Burp Suite, and the aircrack-ng suite for the strongest result.

Sample CEH Practical Practice Questions

Try these sample questions to test your CEH Practical exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A penetration tester wants to perform a stealthy TCP port scan that does not complete the three-way handshake. Which Nmap scan type should be used?
A.-sT
B.-sS
C.-sU
D.-sn
Explanation: The -sS flag performs a TCP SYN (half-open) scan. Nmap sends a SYN, and if it gets SYN/ACK it knows the port is open but responds with RST instead of completing the handshake. This is faster and stealthier than a full TCP connect scan and is the default scan when run as root.
2Which Nmap option enables OS fingerprinting based on TCP/IP stack behavior?
A.-sV
B.-O
C.-A
D.-Pn
Explanation: The -O flag enables Nmap operating system detection. Nmap sends a series of TCP and UDP probes and compares responses (TTL, window size, options, sequence generation) against its OS fingerprint database to identify the target operating system.
3You need to enumerate SMB shares on a Windows host without authentication. Which command is most appropriate?
A.smbclient -L //10.10.10.5 -N
B.nmap -sU -p 445 10.10.10.5
C.ssh anonymous@10.10.10.5
D.ftp 10.10.10.5
Explanation: smbclient -L //target -N lists shares on a remote host using a null session (-N = no password). If the server permits guest/null SMB browsing, this enumerates available shares without credentials.
4Which tool is specifically designed to enumerate Windows hosts via SMB null sessions, returning users, groups, shares, and password policy?
A.enum4linux
B.dirb
C.hydra
D.nikto
Explanation: enum4linux is a Perl wrapper around the Samba tools (smbclient, rpcclient, net) that automates SMB enumeration: users (RID cycling), groups, shares, OS info, password policy, and printer info. It is a staple CEH Practical reconnaissance tool.
5You want to perform a DNS zone transfer against ns1.example.com for the domain example.com. Which command is correct?
A.dig @ns1.example.com example.com AXFR
B.dig example.com MX
C.nslookup -type=A example.com
D.host example.com
Explanation: The AXFR query type performs a DNS zone transfer. The syntax `dig @<nameserver> <domain> AXFR` requests a full copy of the zone from the specified authoritative server. Misconfigured servers that allow AXFR to anyone will leak every record in the zone.
6Which tool is best known for brute-forcing DNS subdomains using a wordlist and detecting wildcard records?
A.dnsenum
B.tcpdump
C.ettercap
D.john
Explanation: dnsenum (and its cousin fierce/dnsrecon) automates DNS reconnaissance: NS/MX/A enumeration, AXFR attempts, reverse lookups, and dictionary-based subdomain brute forcing. It also detects wildcard DNS configurations to avoid false positives.
7Which Nmap NSE script category runs scripts that may crash a vulnerable service or be considered intrusive?
A.default
B.safe
C.intrusive
D.discovery
Explanation: NSE categories include safe, default, discovery, version, vuln, exploit, brute, dos, and intrusive. The intrusive category groups scripts that are likely to be flagged or to crash the target. Use --script intrusive only with explicit authorization.
8You suspect SNMP is running on UDP/161 with the default community string. Which command enumerates the entire MIB tree using snmpwalk v2c with community 'public'?
A.snmpwalk -v 2c -c public 10.10.10.5
B.snmpwalk -v 1 -c admin 10.10.10.5
C.snmpget -v 3 10.10.10.5
D.snmptrap -c public 10.10.10.5
Explanation: snmpwalk -v 2c -c public <target> walks the MIB tree starting from the default OID using SNMP version 2c with the community string 'public'. Because SNMP v1/v2c send the community string in cleartext, default community strings are a classic information-disclosure vector.
9Which command grabs the HTTP banner of a web server using netcat?
A.nc -lvp 80
B.echo -e 'HEAD / HTTP/1.0\r\n\r\n' | nc target 80
C.nc -e /bin/sh target 80
D.nc -u target 53
Explanation: Sending a HEAD request through netcat to TCP/80 returns the response headers, including the Server banner. This is a classic banner-grabbing technique for fingerprinting web server software and version.
10Which Nmap flag combines OS detection, version detection, default scripts, and traceroute in one option?
A.-A
B.-T4
C.-Pn
D.-F
Explanation: The -A (aggressive) flag is shorthand for -O (OS detection), -sV (version detection), -sC (default scripts), and --traceroute. It is the fastest way to gather a thorough fingerprint but is also noisy.

About the CEH Practical Exam

The EC-Council Certified Ethical Hacker Practical (CEH Practical, exam code 312-50 Practical) validates real-world ethical hacking skills through 20 live lab challenges in the EC-Council Aspen Cyber Range. Candidates have 6 hours to footprint targets, scan and enumerate networks, exploit systems, escalate privileges, capture and crack credentials, attack web applications, evade IDS/firewalls, and test wireless, cloud, and IoT environments. The 70% passing score requires demonstrating both methodology and tooling fluency. Our 100 free practice questions are conceptual reinforcement covering the same 5 domains.

Assessment

20 hands-on lab challenges delivered through the EC-Council Aspen Cyber Range; candidates demonstrate practical skills in reconnaissance, system hacking, network attacks, web application hacking, and wireless/cloud/crypto

Time Limit

6 hours

Passing Score

70%

Exam Fee

$550 (EC-Council Aspen Cyber Range)

CEH Practical Exam Content Outline

20%

Reconnaissance and Scanning

Footprinting, OSINT (Shodan, Censys), DNS enumeration (dig, dnsenum, dnsrecon, fierce), Nmap scan types (-sS, -sT, -sU, -sn, -O, -sV, -A, -f, -D), NSE scripts, banner grabbing, SMB enumeration (smbclient, enum4linux, smbmap, rpcclient), SNMP (snmpwalk), vulnerability analysis

20%

System Hacking and Malware

Hacking methodology, password cracking (hashcat modes, John, hash-identifier), Mimikatz (sekurlsa::logonpasswords, lsadump, kerberos), Pass-the-Hash, privesc (winPEAS, linPEAS, GTFOBins, capabilities, SUID), Metasploit and Meterpreter, persistence, trojans, viruses, worms, rootkits, steganography (steghide, exiftool, binwalk), BloodHound

20%

Network and Perimeter Hacking

Sniffing (Wireshark, tcpdump), ARP spoofing (ettercap, bettercap), CAM flooding (macof), LLMNR/NBT-NS poisoning (Responder), session hijacking, IDS/IPS evasion (fragmentation, encoding, decoys), firewall/honeypot evasion, DoS (hping3 SYN flood, Slowloris, DHCP starvation), Snort

20%

Web Application Hacking

OWASP Top 10 2021, SQL injection (UNION, boolean blind, error, sqlmap), XSS, CSRF, SSRF and IMDS, XXE, file upload bypass, web shells, command injection, path traversal, insecure deserialization, Burp Suite, gobuster/ffuf, Nikto

20%

Wireless, Cloud and Cryptography

aircrack-ng suite (airmon-ng, airodump-ng, aireplay-ng), WPS attacks (Reaver, Bully, Pixie Dust), Evil Twin, WEP/WPA2/WPA3 and KRACK, AWS attacks (S3, IMDS SSRF, Pacu, ScoutSuite), cryptography (AES-GCM, RSA, MD5, padding oracles), IoT and OT (binwalk, Modbus, Shodan, BLE)

How to Pass the CEH Practical Exam

What You Need to Know

  • Passing score: 70%
  • Assessment: 20 hands-on lab challenges delivered through the EC-Council Aspen Cyber Range; candidates demonstrate practical skills in reconnaissance, system hacking, network attacks, web application hacking, and wireless/cloud/crypto
  • Time limit: 6 hours
  • Exam fee: $550

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CEH Practical Study Tips from Top Performers

1Build cheat sheets for the tools that show up repeatedly: Nmap (scan types, NSE), Metasploit (search/use/set/run/sessions), Meterpreter, hashcat (-m modes), and Mimikatz commands
2Practice on a real Cyber Range — EC-Council iLabs, Hack The Box, TryHackMe, or VulnHub VMs — for at least 40-60 hours before the exam
3Memorize hashcat modes you will likely see: -m 0 (MD5), -m 100 (SHA-1), -m 1000 (NTLM), -m 1800 (sha512crypt), -m 5500 (NetNTLMv1), -m 5600 (NetNTLMv2), -m 22000 (WPA-PMKID/EAPOL)
4Drill the OWASP Top 10 (2021): A01 Broken Access Control through A10 SSRF, including which Burp tool you use to test each
5Master the aircrack-ng suite end-to-end: airmon-ng monitor mode, airodump-ng capture, aireplay-ng deauth, aircrack-ng/hashcat handshake cracking
6Take screenshots and notes during practice — CEH Practical lets you submit findings, and the same documentation muscle memory pays off in real engagements

Frequently Asked Questions

What is the EC-Council CEH Practical exam?

The CEH Practical (312-50 Practical) is EC-Council's hands-on ethical hacking certification. Candidates complete 20 real-world lab challenges in the Aspen Cyber Range over 6 hours and must score at least 70% to pass. Unlike the multiple-choice CEH (ANSI) exam, the Practical requires actually performing reconnaissance, exploitation, privilege escalation, web attacks, and wireless/cloud techniques against live targets.

How is the CEH Practical different from CEH (ANSI)?

CEH (ANSI) is a 4-hour, 125-question multiple-choice knowledge test. CEH Practical is a 6-hour, 20-challenge live lab assessment in the Aspen Cyber Range. Many candidates earn both credentials together to attain CEH Master status. CEH Practical heavily favours candidates with prior hands-on experience using Kali Linux, Metasploit, Burp Suite, the aircrack-ng suite, and Mimikatz.

How much does the CEH Practical exam cost?

The CEH Practical exam fee is $550 USD per attempt, paid to EC-Council. Bundles that combine CEH (ANSI) with CEH Practical, or include training and exam vouchers, are also available at varying prices. Retakes require a new exam fee.

What topics are covered on the CEH Practical?

CEH Practical covers five weighted domains, each roughly 20% of the exam: reconnaissance and scanning; system hacking and malware; network and perimeter hacking; web application hacking; and wireless, cloud, and cryptography. Within each domain you should expect challenges that exercise tools such as Nmap, Metasploit, Mimikatz, hashcat, Burp Suite, sqlmap, aircrack-ng, Responder, and binwalk.

How should I prepare for the CEH Practical?

Prepare by combining conceptual review with extensive hands-on lab time. Walk through Nmap scan flags, Metasploit module workflows, Meterpreter commands, hashcat -m modes, Mimikatz techniques, OWASP Top 10 attacks, and aircrack-ng workflows. Use platforms like Hack The Box, TryHackMe, EC-Council iLabs, and PortSwigger Web Security Academy. Our 100 free practice questions are conceptual checks that reinforce the right tool for the right task.

Do I need CEH (ANSI) before taking CEH Practical?

No, CEH (ANSI) is not a strict prerequisite, but EC-Council strongly recommends that candidates either hold CEH (ANSI) or have at least 2 years of documented information-security experience. Most candidates who pass CEH Practical have completed CEH (ANSI) or have prior experience with hands-on platforms like OSCP-style labs.

How long is the CEH Practical credential valid?

The CEH Practical credential is valid for 3 years. To recertify, candidates must earn the required EC-Council Continuing Education (ECE) credits and pay the annual EC-Council membership fee, or pass the current version of the CEH Practical exam before expiration.