What does the GCIH Networked Environment Attack domain cover?

GCIH Networked Environment Attack covers networked environment attacks — ARP spoofing, MITM, DHCP attacks, DNS poisoning, VLAN hopping, and rogue access points. Expect scenario-based questions on ARP Spoofing, Man-in-the-Middle (MITM), DHCP Attacks, DNS Poisoning, VLAN Hopping, Rogue Access Points.

How many Networked Environment Attack practice questions are on this page?

This free practice set includes 6 GCIH Networked Environment Attack questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Free GCIH Networked Environment Attack Practice Test 2026 — GIAC Incident Handler Questions

Q: Is this GCIH Networked Environment Attack practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

This free GCIH Networked Environment Attack practice test covers networked environment attacks — ARP spoofing, MITM, DHCP attacks, DNS poisoning, VLAN hopping, and rogue access points. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Networked Environment Attack

ARP Spoofing
Man-in-the-Middle (MITM)
DHCP Attacks
DNS Poisoning
VLAN Hopping
Rogue Access Points

6 Free GCIH Networked Environment Attack Practice Questions with Answers

Sample Question 1 — Networked Environment Attack

During an incident response, you suspect that an attacker is performing a Man-in-the-Middle (MitM) attack on your network. You decide to use Wireshark to analyze the network traffic. Which of the following indicators in the packet capture would most likely confirm the presence of a MitM attack?

A. Numerous ARP requests and replies with conflicting IP and MAC addresses. (Correct answer)
B. A high number of HTTP 404 errors in web traffic.
C. Unusually large DNS query responses.
D. Consistent TCP retransmissions and out-of-order packets.

Correct answer: A

Explanation: Option A is correct because ARP spoofing is a common technique used in MitM attacks, which can be detected by observing conflicting IP and MAC addresses in ARP requests and replies. Option B (HTTP 404 errors) can indicate broken links or misconfigurations but is not specific to MitM attacks. Option C (large DNS responses) might suggest DNS amplification attacks, not MitM. Option D (TCP retransmissions) could indicate network congestion or packet loss, not necessarily a MitM attack.

Sample Question 2 — Networked Environment Attack

You are tasked with investigating a suspected network attack where the attacker exploited a vulnerability in a protocol to gain unauthorized access. Using Nmap, you perform a service version scan on the target network. Which Nmap command would you use to identify the services and their versions running on the target hosts?

A. nmap -sP 192.168.1.0/24
B. nmap -sV 192.168.1.0/24 (Correct answer)
C. nmap -sS 192.168.1.0/24
D. nmap -A 192.168.1.0/24

Correct answer: B

Explanation: Option B is correct because the '-sV' flag in Nmap is used to perform service version detection, which helps identify the services running on the target hosts and their versions. Option A ('-sP') is a ping scan, which only checks if hosts are up. Option C ('-sS') is a SYN scan, which is used for stealth scanning but does not provide service version information. Option D ('-A') enables OS detection, version detection, script scanning, and traceroute, which is more comprehensive but not specific to service version detection.

Sample Question 3 — Networked Environment Attack

During a routine network monitoring session, an incident handler observes unusual outbound traffic patterns from a critical server, possibly indicating exfiltration. What is the most effective initial action the incident handler should take to begin addressing the situation?

A. Immediately shut down the server to prevent further data loss.
B. Use Wireshark to capture and analyze the network traffic from the server. (Correct answer)
C. Notify the IT security team and escalate the incident for further investigation.
D. Run a full antivirus scan on the server to check for any malware.

Correct answer: B

Explanation: The best initial action is to use Wireshark to capture and analyze the network traffic (Option B). This approach allows the incident handler to gather evidence of the suspicious activity and understand the nature of the traffic without causing unnecessary disruption. Shutting down the server (Option A) is too drastic and could lead to a loss of critical evidence. Notifying the IT security team (Option C) is important, but analyzing the traffic first provides valuable context for the escalation. Running an antivirus scan (Option D) addresses potential malware but does not directly address the observed network behavior.

Sample Question 4 — Networked Environment Attack

During an investigation, you suspect that an unauthorized device is connected to your network. Which of the following is the most effective initial action to identify the device?

A. Run an Nmap scan to identify all active hosts on the network. (Correct answer)
B. Use Wireshark to capture and analyze network traffic.
C. Check the DHCP server logs for new leases.
D. Perform a physical walk-through of the network area.

Correct answer: A

Explanation: Running an Nmap scan is the most effective initial action because it quickly identifies all active hosts on the network, including unauthorized devices. While checking DHCP logs (Option C) can be useful, it may not capture devices with static IPs. Wireshark (Option B) is more suited for traffic analysis rather than host discovery. A physical walk-through (Option D) is time-consuming and may not be feasible in large environments.

Sample Question 5 — Networked Environment Attack

You are alerted to a potential malware infection on a networked workstation. What is the best first step to take in response to this alert?

A. Immediately disconnect the workstation from the network. (Correct answer)
B. Perform a full antivirus scan on the workstation.
C. Collect volatile data from the workstation.
D. Notify the incident response team and wait for further instructions.

Correct answer: A

Explanation: The best first step is to immediately disconnect the workstation from the network (Option A) to prevent the spread of malware. Performing a full antivirus scan (Option B) should be done after containment. Collecting volatile data (Option C) is important but secondary to containment. Notifying the incident response team (Option D) is necessary but should follow immediate containment actions.

Sample Question 6 — Networked Environment Attack

You receive a report of unusual outbound network traffic from a server. What is the most practical first step to investigate this issue?

A. Use Wireshark to capture and analyze outbound traffic from the server. (Correct answer)
B. Check the server's firewall rules for recent changes.
C. Review the server's event logs for any suspicious activities.
D. Run a vulnerability scan on the server.

Correct answer: A

Explanation: Using Wireshark to capture and analyze outbound traffic (Option A) is the most practical first step as it provides immediate insights into the nature and destination of the traffic. Checking firewall rules (Option B) and reviewing event logs (Option C) are important but secondary actions. Running a vulnerability scan (Option D) is not directly relevant to analyzing current traffic behavior.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Networked Environment Attack practice test now | 10-question quick start | All GCIH domains