Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. GAQM
  5. CPEH-001

GAQM CPEH-001 Exam
Certified Professional Ethical Hacker (CPEH) Exam (Page 11 )

Updated On: 1-Feb-2026
Page 11 of 177
PDF with 878 Questions

What are two things that are possible when scanning UDP ports? (Choose two.

  1. A reset will be returned
  2. An ICMP message will be returned
  3. The four-way handshake will not be completed
  4. An RFC 1294 message will be returned
  5. Nothing

Answer(s): B,E

Explanation:

Closed UDP ports can return an ICMP type 3 code 3 message. No response can mean the port is open or the packet was silently dropped.



What does a type 3 code 13 represent?(Choose two.

  1. Echo request
  2. Destination unreachable
  3. Network unreachable
  4. Administratively prohibited
  5. Port unreachable
  6. Time exceeded

Answer(s): B,D

Explanation:

Type 3 code 13 is destination unreachable administratively prohibited. This type of message is typically returned from a device blocking a port.



Destination unreachable administratively prohibited messages can inform the hacker to what?

  1. That a circuit level proxy has been installed and is filtering traffic
  2. That his/her scans are being blocked by a honeypot or jail
  3. That the packets are being malformed by the scanning software
  4. That a router or other packet-filtering device is blocking traffic
  5. That the network is functioning normally

Answer(s): D

Explanation:

Destination unreachable administratively prohibited messages are a good way to discover that a router or other low-level packet device is filtering traffic. Analysis of the ICMP message will reveal the IP address of the blocking device and the filtered port. This further adds the to the network map and information being discovered about the network and hosts.



Which of the following Nmap commands would be used to perform a stack fingerprinting?

  1. Nmap -O -p80 <host(s.>
  2. Nmap -hU -Q<host(s.>
  3. Nmap -sT -p <host(s.>
  4. Nmap -u -o -w2 <host>
  5. Nmap -sS -0p target

Answer(s): A

Explanation:

This option activates remote host identification via TCP/IP fingerprinting. In other words, it uses a bunch of techniques to detect subtlety in the underlying operating system network stack of the computers you are scanning. It uses this information to create a "fingerprint" which it compares with its database of known OS fingerprints (the nmap-os-fingerprints file. to decide what type of system you are scanning.



Exhibit



(
Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.

  1. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
  2. This is back orifice activity as the scan comes form port 31337.
  3. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
  4. These packets were crafted by a tool, they were not created by a standard IP stack.

Answer(s): B

Explanation:

Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of `elite', meaning `elite hackers'.



Viewing page 11 of 177
Viewing questions 51 - 55 out of 878 questions



Post your Comments and Discuss GAQM CPEH-001 exam prep with other Community members:

Join the CPEH-001 Discussion