Practice CEH Footprinting and Reconnaissance questions with full explanations on every answer.
Start practicing
Footprinting and Reconnaissance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?
2During the reconnaissance phase, a tester discovers that the target company's email server is configured to automatically respond to delivery status notifications (DSNs). Which type of attack could this information facilitate?
3A security analyst is tasked with performing passive reconnaissance on a target organization. Which of the following is the BEST approach to gather information about the target's technology stack without directly interacting with the target's systems?
4An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?
5During footprinting, a tester finds that the target's DNS server allows recursive queries from the internet. What is the MOST significant security implication of this finding?
6Which TWO of the following are examples of passive footprinting techniques? (Select exactly 2.)
7Which THREE of the following are valid pieces of information that can be gathered from a properly configured Netcraft site report? (Select exactly 3.)
8An ethical hacker runs the command shown in the exhibit. Which of the following conclusions can be drawn from the output?
9You are a penetration tester hired to perform a security assessment for a medium-sized e-commerce company, "ShopSmart". The company hosts its website on a shared hosting environment and uses a third-party payment gateway. Your goal is to gather as much information as possible without triggering any alarms. During the initial footprinting, you discover that the company's domain "shopsmart.com" was registered five years ago and the WHOIS record shows the registrant's name, address, phone number, and email. The email address is "admin@shopsmart.com". You also find a job posting on LinkedIn that mentions they are looking for a "Senior PHP Developer with experience in Laravel and MySQL". Additionally, by using the Wayback Machine, you find an old version of the site that includes a comment in the HTML source: "<!-- TODO: Remove debug page before launch: /dev/test.php -->". You attempt to access /dev/test.php but receive a 404 error. What should you do NEXT to maximize information gain while remaining passive?
10During a penetration test, you are tasked with performing footprinting on a target organization. You have identified the target's IP range 192.168.1.0/24. Which of the following techniques would provide the most comprehensive information about the target's network topology and potential entry points?
11Which TWO of the following tools are specifically designed for footprinting and reconnaissance tasks? (Select two.)
12What can be inferred from the output?
13You are a penetration tester for a security firm. Your client, Acme Corp, has requested an external reconnaissance assessment. They have provided their primary domain 'acme.com'. You begin by performing passive footprinting using public sources. After gathering initial information, you want to identify their email servers, subdomains, and any exposed services. You also want to map their network infrastructure without directly interacting with their systems to avoid detection. Which course of action should you take next?
14During a penetration test, you discover that the target organization uses a cloud-based email service. Which technique would allow you to gather employee email addresses and potentially infer internal organizational structure?
15Which TWO of the following tools are commonly used for passive reconnaissance?
16Refer to the exhibit. An attacker runs the nslookup command shown. What information has been gathered?
17Drag and drop the steps to set up a VPN using IPsec in tunnel mode into the correct order.
18Match each CEH phase to its key activity.
The Footprinting and Reconnaissance domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.
The Courseiva CEH question bank contains 18 questions in the Footprinting and Reconnaissance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Footprinting and Reconnaissance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included