What does the GCIH SMB Security domain cover?

GCIH SMB Security covers SMB security — SMB enumeration, EternalBlue, NTLM relay attacks, SMB signing, null sessions, and SMBGhost. Expect scenario-based questions on SMB Enumeration, EternalBlue (MS17-010), NTLM Relay Attacks, SMB Signing, Null Sessions, SMBGhost.

How many SMB Security practice questions are on this page?

This free practice set includes 6 GCIH SMB Security questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Is this GCIH SMB Security practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free GCIH SMB Security Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH SMB Security practice test covers SMB security — SMB enumeration, EternalBlue, NTLM relay attacks, SMB signing, null sessions, and SMBGhost. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH SMB Security

SMB Enumeration
EternalBlue (MS17-010)
NTLM Relay Attacks
SMB Signing
Null Sessions
SMBGhost

6 Free GCIH SMB Security Practice Questions with Answers

Sample Question 1 — SMB Security

During a routine security assessment of your network, you discover that an attacker is using a null session to enumerate user accounts and shares on your Windows server via SMB. Which of the following actions is the most effective immediate response to mitigate this threat?

A. Disable SMBv1 on the server.
B. Block TCP ports 139 and 445 on the firewall. (Correct answer)
C. Enable SMB signing on the server.
D. Implement a strong password policy for all user accounts.

Correct answer: B

Explanation: Blocking TCP ports 139 and 445 on the firewall is the most effective immediate action to prevent unauthorized access via SMB, as these ports are used for SMB communication. Disabling SMBv1 (Option A) is a good security practice but may not immediately stop ongoing null session attacks. Enabling SMB signing (Option C) helps ensure data integrity but does not directly stop null sessions. Implementing a strong password policy (Option D) is important but does not address the immediate threat posed by null sessions.

Sample Question 2 — SMB Security

An incident response team is investigating a data breach in which an attacker exploited an SMB vulnerability to gain unauthorized access to sensitive files. Which of the following tools would be most useful for the team to analyze network traffic and identify the SMB exploit used by the attacker?

A. Volatility
B. Metasploit
C. Wireshark (Correct answer)
D. John the Ripper

Correct answer: C

Explanation: Wireshark is a network protocol analyzer that can capture and analyze network traffic, making it the most suitable tool for identifying SMB exploits by examining the packets transmitted over the network. Volatility (Option A) is used for memory forensics, Metasploit (Option B) is a penetration testing framework, and John the Ripper (Option D) is a password cracking tool, none of which are specifically designed for analyzing network traffic.

Sample Question 3 — SMB Security

During a routine network monitoring session, an incident handler notices unusual SMB traffic originating from a critical server. The traffic pattern suggests potential lateral movement by an attacker. What is the most effective initial action the incident handler should take to triage this situation?

A. Immediately shut down the affected server to prevent further compromise.
B. Use Wireshark to capture and analyze the SMB traffic for suspicious patterns.
C. Isolate the server from the network to prevent further unauthorized access. (Correct answer)
D. Run an Nmap scan on the server to identify open SMB-related ports.

Correct answer: C

Explanation: The most effective initial action is to isolate the server from the network (Option C). This step helps contain the potential threat, preventing further lateral movement and unauthorized access. While analyzing traffic with Wireshark (Option B) or running an Nmap scan (Option D) can provide valuable information, they do not immediately stop the threat. Shutting down the server (Option A) could result in data loss and disrupt critical services without necessarily stopping the attacker.

Sample Question 4 — SMB Security

During an incident response, you suspect unauthorized access to a Windows file share via SMB. What is the most effective initial step to confirm this suspicion?

A. Run a full system antivirus scan on the file server.
B. Check the Windows Event Logs for SMB-related events. (Correct answer)
C. Use Wireshark to capture live network traffic.
D. Perform a vulnerability scan using Nmap.

Correct answer: B

Explanation: The most effective initial step is to check the Windows Event Logs for SMB-related events. This provides immediate insight into any unauthorized access attempts or successful connections to the SMB share. Option A, running an antivirus scan, is not specific to SMB and may not reveal access attempts. Option C, using Wireshark, is more time-consuming and requires capturing specific traffic, which may not be feasible immediately. Option D, a vulnerability scan, is more about identifying vulnerabilities rather than detecting unauthorized access.

Sample Question 5 — SMB Security

You receive an alert about a potential SMB brute force attack on your network. What should be your first step in handling this incident?

A. Immediately block the source IP address at the firewall.
B. Capture and analyze network traffic using Wireshark.
C. Review the authentication logs for failed login attempts. (Correct answer)
D. Isolate the affected server from the network.

Correct answer: C

Explanation: The first step should be to review the authentication logs for failed login attempts. This will confirm whether a brute force attack is occurring by showing multiple failed attempts. Option A, blocking the IP address, may be premature without confirming the attack. Option B, capturing traffic, is useful but not the first step. Option D, isolating the server, is an extreme measure that should be considered after confirming the attack and assessing its impact.

Sample Question 6 — SMB Security

An incident handler is tasked with investigating a suspected SMB vulnerability exploitation. What is the most practical first step they should take?

A. Run a vulnerability scan with Nmap to identify open SMB ports.
B. Check for recent patches and updates applied to the SMB service. (Correct answer)
C. Deploy an intrusion detection system (IDS) to monitor SMB traffic.
D. Analyze the SMB configuration files for misconfigurations.

Correct answer: B

Explanation: The most practical first step is to check for recent patches and updates applied to the SMB service. This helps determine if the system is vulnerable to known exploits. Option A, scanning with Nmap, is useful but more about discovery than vulnerability assessment. Option C, deploying an IDS, is a longer-term solution rather than an immediate first step. Option D, analyzing configuration files, is important but secondary to ensuring the system is patched.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH SMB Security practice test now | 10-question quick start | All GCIH domains