Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCEHDomainsFootprinting, Reconnaissance and Scanning
CEHFree — No Signup

Footprinting, Reconnaissance and Scanning

Practice CEH Footprinting, Reconnaissance and Scanning questions with full explanations on every answer.

155questions

Start practicing

Footprinting, Reconnaissance and Scanning — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CEH Domains

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Practice Footprinting, Reconnaissance and Scanning questions

10Q20Q30Q50Q

All CEH Footprinting, Reconnaissance and Scanning questions (155)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

2

During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?

3

A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?

4

During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?

5

Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?

6

A security team wants to identify all live hosts on a large, Class B private IP network (172.16.0.0/16) as quickly as possible while minimizing network load. Which tool and technique should they use?

7

During a penetration test, you run the following Nmap command: nmap -sS -sV -O -A -T4 --script=default 10.0.0.1. The scan results show that port 443 is open and the service is 'Apache httpd 2.4.29'. However, banner grabbing with Netcat shows 'Apache/2.4.41 (Ubuntu)'. What is the MOST likely explanation for the discrepancy?

8

A security analyst is conducting a vulnerability scan on a web server using Nessus. After the scan, they notice that the server's performance has degraded significantly, and some services have become unresponsive. Which of the following actions could have prevented this issue?

9

During a security assessment, a tester uses Maltego to gather information about a target organization. Which type of reconnaissance is being performed?

10

A penetration tester is attempting to evade an IDS/IPS while performing a port scan. They use the Nmap command: nmap -sS -f --data-length 20 -D RND:10 10.0.0.1. Which techniques are being employed to evade detection?

11

A security analyst receives an alert about a scan originating from an IP address that appears to be using a 'sIdle scan' technique. Which of the following characteristics would confirm this?

12

A junior penetration tester runs the command: whois example.com. What type of information are they MOST likely trying to obtain?

13

A security analyst is planning a reconnaissance activity that must remain undetected. Which TWO of the following techniques should they choose?

14

During a penetration test, you need to enumerate all DNS records for example.com using a zone transfer. Which TWO tools can be used to attempt this?

15

Which THREE of the following are valid Nmap port states?

16

A security analyst wants to perform passive reconnaissance on a target organization without generating any traffic to the target's network. Which of the following techniques would be MOST appropriate?

17

Which of the following tools is specifically designed to perform Google dorking and automate searching for vulnerable web applications and sensitive information?

18

During a penetration test, you need to identify all live hosts on a target network without being detected by intrusion detection systems. Which Nmap flag would BEST achieve this?

19

A penetration tester executes the following command: nmap -sS -p 1-1000 --script banner 192.168.1.10. After the scan, the tester notices several filtered ports. Which of the following BEST explains why Nmap reports a port as "filtered"?

20

A security analyst is performing reconnaissance on a target domain and wants to discover all subdomains using DNS enumeration. Which of the following commands would be MOST effective for performing a DNS zone transfer attempt?

21

During a penetration test, you run the following command: hping3 -S -p 80 --flood 192.168.1.100. What is the PRIMARY purpose of this command?

22

A penetration tester is conducting a vulnerability scan against a target network. Which of the following tools is BEST suited for this task?

23

An attacker uses a technique where they send a SYN packet with a spoofed source IP address to the target, and the target responds with SYN/ACK to the spoofed IP. The attacker never completes the handshake. This technique is known as:

24

A security analyst receives an alert from the IDS indicating a port scan originating from IP 10.0.0.5. Upon investigation, the analyst finds that 10.0.0.5 is a legitimate internal server. Which type of scan is the attacker likely using to evade detection?

25

Which of the following OSINT techniques would be MOST effective for discovering email addresses and employee names associated with a target organization?

26

A penetration tester is trying to evade an IDS that detects out-of-order TCP packets. The tester uses Nmap with the -f flag. What is the PRIMARY effect of this flag?

27

You are performing a penetration test and need to quickly scan a large IP range (e.g., 10.0.0.0/8) for open ports 80 and 443. Which tool is BEST suited for this high-speed scanning task?

28

Which TWO of the following are passive reconnaissance techniques? (Select 2)

29

Which TWO of the following Nmap flags can be used to bypass firewall restrictions? (Select 2)

30

Which THREE of the following are valid DNS record types that an attacker might query during reconnaissance to gather information about a target domain? (Select 3)

31

A security analyst runs `nmap -sS -sV -A 192.168.1.100` and obtains open ports and service versions. However, the analyst suspects the target is behind an IDS/IPS. Which Nmap technique would BEST evade detection while still performing a similar scan?

32

During a penetration test, you execute `theHarvester -d example.com -b google,linkedin`. What type of data is this tool primarily designed to collect?

33

An attacker uses `nmap -sI 10.0.0.5 192.168.1.10` to scan a target. This technique is known as an idle scan. Which condition is REQUIRED for this scan to work correctly?

34

Which of the following techniques is considered PASSIVE reconnaissance?

35

A security analyst observes unusual outbound traffic from an internal host to an external IP on port 443. The analyst suspects a reverse shell where the internal host initiates an HTTPS connection to the attacker. Which Nmap script would be MOST useful to confirm the nature of this traffic if the analyst can run a scan on the internal host?

36

What is the PRIMARY purpose of performing a DNS zone transfer?

37

A penetration tester wants to identify live hosts on a large IP range without generating excessive network traffic. Which tool is BEST suited for fast host discovery?

38

Which Google dork would a penetration tester use to find login pages that are indexed by Google?

39

During a security assessment, a tester uses `nmap -sU 192.168.1.1`. What type of scan does this command perform?

40

A penetration tester is scanning a target and receives the output: 'PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https'. Which Nmap flag was MOST likely used to obtain this output?

41

An attacker sends a TCP SYN packet to a port and receives a TCP RST packet in response. According to Nmap's port state classification, what is the state of this port?

42

During a reconnaissance phase, a tester uses `dnsrecon -d example.com -t axfr`. What specific DNS query is being attempted?

43

A security analyst wants to perform passive reconnaissance on a target domain. Which TWO of the following methods are considered passive? (Choose 2)

44

Which THREE of the following are examples of OSINT techniques? (Choose 3)

45

A penetration tester runs `nmap -sS -sV -O -p- 192.168.1.10` and receives the following output snippet: 'PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 80/tcp open http Apache httpd 2.4.6 443/tcp open ssl/http Apache httpd 2.4.6'. Which THREE pieces of information can the tester derive from this output? (Choose 3)

46

A security analyst wants to gather information about a target domain without directly interacting with its systems. Which technique would be MOST appropriate?

47

During a penetration test, you run the following command: nmap -sV -p 80 --script http-title 192.168.1.10. The output shows that port 80 is open and the HTTP title is 'Login Portal'. Which phase of the penetration testing methodology does this activity represent?

48

A security analyst observes that an Nmap SYN scan against a target network returns all ports as 'filtered'. The analyst suspects an IDS/IPS is dropping inbound SYN packets. Which Nmap technique would MOST likely bypass this detection while still identifying open ports?

49

A penetration tester is performing reconnaissance and wants to identify email addresses associated with a target domain. Which tool is specifically designed for this purpose?

50

During a security assessment, you execute: dnsenum --enum example.com. The tool returns results including the nameservers (NS), mail servers (MX), and performs a zone transfer attempt. The zone transfer fails. What is the MOST likely reason for the failure?

51

Which of the following best describes the difference between active and passive reconnaissance?

52

A security analyst runs the following command: hping3 -S -p 80 -c 1 192.168.1.1. The response received is an RST/ACK packet. What does this indicate about port 80 on the target?

53

Which Google dork query would an attacker most likely use to find login pages on a web server?

54

A penetration tester uses the following Nmap command: nmap -sS -O -p 1-1000 10.0.0.1. The output shows port 22 as open, and OS detection suggests 'Linux 2.6.x'. The tester then runs: nmap -sV -p 22 10.0.0.1. What additional information does the second scan provide?

55

What is the primary purpose of using the Nmap flag -sS?

56

A security analyst receives an alert that an external IP address is sending fragmented packets to the company's web server on port 80. The analyst suspects the attacker is using Nmap with fragmentation. Which Nmap flag is being used to fragment the probe packets?

57

Which of the following tools would be BEST to use for identifying all live hosts in a large IP range (e.g., 10.0.0.0/8) quickly?

58

Which TWO of the following are passive reconnaissance techniques?

59

Which THREE of the following are correct statements about DNS zone transfers?

60

Which TWO of the following Nmap scans are considered 'stealth' scans that do not complete a full TCP three-way handshake?

61

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

62

During a penetration test, a tester wants to gather email addresses, subdomains, and employee names associated with a target domain. Which of the following tools is specifically designed for such passive reconnaissance?

63

A security team detects unusual outbound traffic from a host that appears to be a reverse shell. Which of the following Nmap features would be MOST effective for identifying the service running on the listening port of the command-and-control server?

64

A penetration tester uses the following Google dork: site:example.com filetype:pdf inurl:confidential. What is the MOST likely goal of this search?

65

During a security assessment, a tester runs hping3 with the command: hping3 -S -p 80 -c 5 10.0.0.1. The response shows that packets with the SYN flag set receive SYN-ACK replies. Which of the following conclusions is MOST accurate?

66

A security analyst wants to identify all live hosts on a network without generating excessive traffic. Which of the following techniques is MOST appropriate for this purpose?

67

A security engineer is concerned about DNS zone transfer attacks. Which of the following countermeasures would be MOST effective in preventing unauthorized zone transfers?

68

A penetration tester receives the following output from a tool: 'Starting dnsrecon.py -d example.com -t axfr' and then a list of all DNS records. Which of the following BEST describes what occurred?

69

An analyst wants to perform a SYN flood attack test against a server to evaluate its resilience. Which of the following tools would be the MOST appropriate for this task?

70

During a penetration test, a tester uses Nmap with the command: nmap -sS -D RND:10 192.168.1.100. After the scan, the IDS logs show multiple SYN packets from different source IPs hitting the target. However, the tester's true IP is not among them. Which of the following techniques is being used?

71

Which of the following tools is specifically designed to search the internet for exposed devices and services, such as industrial control systems and webcams, using banners and metadata?

72

A penetration tester runs the following command: masscan 10.0.0.0/24 -p80,443,8080 --rate=10000. Compared to Nmap, what is the PRIMARY advantage of using Masscan for this scan?

73

Which TWO of the following are passive reconnaissance techniques? (Select 2)

74

Which THREE of the following Nmap flags are commonly used for evasion techniques? (Select 3)

75

Which TWO of the following are valid port states that Nmap can report? (Select 2)

76

A security analyst wants to gather information about a target domain using publicly available sources without directly interacting with the target’s systems. Which type of reconnaissance is being performed?

77

Which command-line tool is specifically designed to extract email addresses, subdomains, and other information from public sources (e.g., search engines, social media) for a given domain?

78

During a penetration test, a tester runs 'dnsrecon -d example.com -t axfr' and receives a full list of DNS records. What does this indicate about the target's DNS configuration?

79

An analyst executes 'nmap -sU -p 161,162 10.0.0.1'. What is the primary purpose of this scan?

80

While performing reconnaissance, a tester uses a Google dork to find login pages exposed on the internet. Which of the following is an example of a Google dork that could be used for this purpose?

81

A penetration tester runs 'nmap -sS -p 80 --script http-title 192.168.1.100' and receives output indicating port 80 is 'filtered'. What does the 'filtered' state imply?

82

An attacker uses an idle scan with Nmap to probe a target. This technique relies on a third-party host with a predictable IP ID sequence to infer port states. Which Nmap flag enables an idle scan?

83

During a security assessment, a tester uses Netcat to connect to a target's SMTP port and receive the service banner. Which command would achieve this?

84

A security analyst is asked to perform a fast scan of a large network (e.g., /16 subnet) to identify live hosts. Which tool is MOST suitable for this task due to its high speed?

85

Which of the following techniques involves sending crafted packets to a target to elicit responses that reveal the operating system?

86

An incident responder notices unusual outbound traffic from a host that is communicating with an external IP on port 4444. The traffic appears to be encrypted. Which tool could be used to initiate a connection to that external IP to gather a banner for service identification?

87

A security analyst runs a vulnerability scan with Nessus and receives a report indicating that multiple hosts have the 'MS17-010' vulnerability. What is the MOST likely impact of this vulnerability if exploited?

88

Which TWO of the following Nmap flags are used for evasion of IDS/IPS? (Choose two.)

89

Which THREE of the following are common techniques used during the footprinting phase? (Choose three.)

90

A penetration tester is conducting reconnaissance and wants to identify live hosts in a range without being detected. Which TWO techniques would be MOST appropriate? (Choose two.)

91

A security analyst wants to discover all DNS records associated with a domain without triggering a full zone transfer. Which tool is BEST suited for this task?

92

During a penetration test, you run the command: nmap -sU -p 161,162 --script=snmp-brute 192.168.1.100. Which of the following is the PRIMARY goal of this scan?

93

A security analyst notices that their Nmap scan results show all ports as 'filtered' despite the target host being alive and responsive to ping. Which of the following is the MOST likely cause?

94

Which of the following Google dorks would an attacker MOST likely use to find login pages of web applications that are publicly accessible?

95

During a reconnaissance phase, a penetration tester uses Shodan to search for devices with a specific open port. Which of the following BEST describes what Shodan provides beyond a simple port scan?

96

A security analyst runs the Nmap command: nmap -sI 192.168.1.50 -p 80 10.0.0.1. The scan completes, but the target shows no open ports. What is the MOST likely explanation?

97

A penetration tester wants to perform a ping sweep on a /24 subnet to identify live hosts. Which command would accomplish this efficiently?

98

Which of the following is a passive OS fingerprinting technique that does NOT send any packets to the target?

99

A security analyst wants to perform banner grabbing on a web server without establishing a full TCP connection. Which tool would be MOST appropriate?

100

During a vulnerability scan using Nessus, a security analyst discovers that the target host shows a 'High' severity vulnerability for 'SSL/TLS Renegotiation DoS'. What does this vulnerability indicate?

101

Which of the following Nmap flags would an attacker use to evade IDS by sending fragmented IP packets?

102

A penetration tester uses theHarvester to gather information about a target domain. Which of the following data types is theHarvester PRIMARILY designed to collect?

103

Which TWO of the following techniques are considered passive reconnaissance? (Select exactly 2.)

104

Which THREE of the following are valid Nmap flags that can be used to evade detection by an IDS? (Select exactly 3.)

105

A penetration tester wants to perform DNS zone transfer enumeration. Which TWO of the following tools can be used for this purpose? (Select exactly 2.)

106

A security analyst performs a passive reconnaissance of a target domain using public resources. Which of the following techniques would be considered passive reconnaissance?

107

During a penetration test, the tester wants to discover all subdomains of a target domain using an OSINT technique. Which tool is specifically designed for subdomain enumeration via search engines and public records?

108

A security analyst notices a large number of incomplete TCP connections (SYN_RECV) on a server. Which Nmap scan type is the MOST likely cause of this symptom?

109

A penetration tester uses the following Google dork: intitle:"index of" "backup" site:example.com. What is the MOST likely goal of this search?

110

An analyst runs the following command: dnsenum --enum example.com. Which of the following actions is dnsenum performing?

111

Which Nmap flag is used to perform a TCP SYN scan without completing the three-way handshake?

112

During a penetration test, the tester needs to identify the operating system of a remote host without sending any packets to it. Which technique should the tester use?

113

A security analyst runs the command: nmap -sS -p 80,443,8080 --script http-headers scanme.nmap.org. The output shows that port 80 is filtered. What does 'filtered' mean in this context?

114

Which of the following tools is specifically designed for high-speed port scanning across large address spaces?

115

A penetration tester wants to evade an IDS while scanning a target network. The tester uses the Nmap command: nmap -sS -f 10.10.10.1. What does the -f flag accomplish?

116

A security analyst observes the following Nmap output for a target host: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https. The analyst then runs a version detection scan and notices that port 80 reports 'Apache httpd 2.4.41' but port 443 reports 'Apache httpd 2.4.41' as well. What is the MOST likely conclusion?

117

During a vulnerability assessment, which of the following tools is a comprehensive vulnerability scanner that uses a plugin architecture to detect thousands of vulnerabilities?

118

Which TWO of the following are examples of active reconnaissance techniques? (Select two)

119

Which THREE of the following Nmap options can be used to evade detection by IDS/IPS? (Select three)

120

A penetration tester is conducting DNS enumeration. Which TWO of the following tools are specifically designed for DNS enumeration? (Select two)

121

Which of the following tools is PRIMARILY used for passive OSINT gathering and can query multiple search engines, social media platforms, and public databases to collect information about a target?

122

A security analyst runs `nmap -sU -p 161,162 10.0.0.1` and receives output showing port 161/udp is open. Which service is MOST likely running on this port?

123

During a penetration test, you execute a DNS zone transfer request against a target domain and succeed. Which type of DNS record would you expect to reveal the mail servers for the domain?

124

Which TWO techniques are considered active reconnaissance? (Choose TWO.)

125

A penetration tester wants to perform a stealthy TCP scan that does not complete the three-way handshake. Which Nmap flag should be used?

126

You are investigating a suspected data exfiltration. Network logs show an internal host performing numerous DNS queries to a domain that does not exist in any organization records. The queries use various subdomains. Which technique is the attacker MOST likely using?

127

Which THREE of the following are common countermeasures to prevent DNS zone transfers from being abused? (Choose THREE.)

128

A security team observes repeated Nmap scans from an external IP address. The scans show fragmented IP packets. Which evasion technique is the attacker using?

129

Which of the following is an example of passive OS fingerprinting?

130

During a vulnerability scan with Nessus, you find that port 445/TCP is open on a Windows server. Which of the following is the MOST likely associated risk?

131

A security analyst issues the command `dnsenum example.com` and receives a list of subdomains, mail servers, and name servers. What information is revealed by the presence of multiple MX records?

132

Which TWO of the following are considered passive reconnaissance techniques? (Choose TWO.)

133

You need to perform a fast scan of all 65535 TCP ports on a target IP address. Which tool is specifically designed for high-speed scanning and can surpass Nmap's speed on large-scale networks?

134

Which THREE of the following are valid Nmap NSE scripts that could be used for service version detection or vulnerability scanning? (Choose THREE.)

135

A penetration tester runs `nmap -sI 192.168.1.10 -p 80 10.0.0.1` and receives output indicating port 80 is open. The scan uses a zombie host. Which type of scan is this?

136

A security analyst wants to gather information about a target domain without sending any packets to the target. Which technique should the analyst use?

137

During a penetration test, the tester uses a tool that queries search engines with specific operators to find sensitive information such as login pages, exposed directories, and file types. Which tool or technique is being used?

138

A penetration tester observes that an Nmap SYN scan shows all 1000 TCP ports as open. The tester suspects the target is using a security appliance that responds with SYN-ACK to all connection attempts, regardless of the actual port state. Which type of Nmap scan would be MOST effective in determining the true state of the ports?

139

An incident responder analyzes logs and finds repeated failed zone transfer attempts from an external IP. The zone transfer requests are targeting the domain example.com. Which DNS record type, if misconfigured, would allow this attack to succeed?

140

Which of the following tools is specifically designed to perform fast internet-wide scanning, often used in the reconnaissance phase to discover open ports across large IP ranges?

141

A penetration tester runs the following Nmap command: nmap -sU -sS -p 53,161,162,500 10.0.0.1 and receives no responses for UDP scans but standard results for TCP. The tester suspects the target is dropping all UDP packets. Which Nmap option could help increase the likelihood of UDP responses by fragmenting the probe?

142

Which of the following is the PRIMARY purpose of banner grabbing during the reconnaissance phase?

143

During a vulnerability assessment, a security analyst receives an alert from the IDS that a scan with fragmented packets and spoofed source IPs is targeting the internal network. Which Nmap command MOST likely caused this alert?

144

Which TWO of the following are examples of passive OS fingerprinting techniques? (Select 2)

145

Which TWO of the following Nmap scan types are MOST effective for evading a stateful firewall that only allows established connections? (Select 2)

146

Which TWO of the following are common OSINT tools for passive reconnaissance? (Select 2)

147

Which THREE of the following are valid methods to prevent DNS zone transfer attacks? (Select 3)

148

Which THREE of the following are legitimate uses of the Shodan search engine in a security assessment? (Select 3)

149

Which TWO of the following describe the state of a port when Nmap reports it as 'filtered'? (Select 2)

150

Which TWO of the following are examples of active reconnaissance? (Select 2)

151

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

152

During a penetration test, a security analyst observes that Nmap SYN scans to a target server are not returning any results, but TCP connect scans succeed. The server is running an IDS. Which evasion technique is the analyst MOST likely encountering?

153

A security analyst wants to gather information about a target domain using public records without directly interacting with the target's systems. Which technique is the analyst employing?

154

Which TWO OSINT tools are commonly used to gather email addresses and subdomains associated with a target domain? (Select 2)

155

A security analyst is conducting passive reconnaissance on a target organization. Which THREE of the following are examples of passive reconnaissance techniques? (Select 3)

Practice all 155 Footprinting, Reconnaissance and Scanning questions

Other CEH exam domains

Enumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Frequently asked questions

What does the Footprinting, Reconnaissance and Scanning domain cover on the CEH exam?

The Footprinting, Reconnaissance and Scanning domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.

How many Footprinting, Reconnaissance and Scanning questions are in the CEH question bank?

The Courseiva CEH question bank contains 155 questions in the Footprinting, Reconnaissance and Scanning domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Footprinting, Reconnaissance and Scanning for CEH?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Footprinting, Reconnaissance and Scanning questions for CEH?

Yes — the session launcher on this page draws questions exclusively from the Footprinting, Reconnaissance and Scanning domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CEH domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

PT0-002CS0-003SY0-701200-201