Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Footprinting, Reconnaissance and Scanning practice sets

CEH Footprinting, Reconnaissance and Scanning • Complete Question Bank

CEH Footprinting, Reconnaissance and Scanning — All Questions With Answers

Complete CEH Footprinting, Reconnaissance and Scanning question bank — all 0 questions with answers and detailed explanations.

155
Questions
Free
No signup
Certifications/CEH/Practice Test/Footprinting, Reconnaissance and Scanning/All Questions
Question 1mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

Question 2easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?

Question 3mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?

Question 4hardmultiple choice
Read the full DNS explanation →

During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?

Question 5easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?

Question 6mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security team wants to identify all live hosts on a large, Class B private IP network (172.16.0.0/16) as quickly as possible while minimizing network load. Which tool and technique should they use?

Question 7hardmultiple choice
Read the full NAT/PAT explanation →

During a penetration test, you run the following Nmap command: nmap -sS -sV -O -A -T4 --script=default 10.0.0.1. The scan results show that port 443 is open and the service is 'Apache httpd 2.4.29'. However, banner grabbing with Netcat shows 'Apache/2.4.41 (Ubuntu)'. What is the MOST likely explanation for the discrepancy?

Question 8mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst is conducting a vulnerability scan on a web server using Nessus. After the scan, they notice that the server's performance has degraded significantly, and some services have become unresponsive. Which of the following actions could have prevented this issue?

Question 9easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a security assessment, a tester uses Maltego to gather information about a target organization. Which type of reconnaissance is being performed?

Question 10hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester is attempting to evade an IDS/IPS while performing a port scan. They use the Nmap command: nmap -sS -f --data-length 20 -D RND:10 10.0.0.1. Which techniques are being employed to evade detection?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst receives an alert about a scan originating from an IP address that appears to be using a 'sIdle scan' technique. Which of the following characteristics would confirm this?

Question 12easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A junior penetration tester runs the command: whois example.com. What type of information are they MOST likely trying to obtain?

Question 13mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst is planning a reconnaissance activity that must remain undetected. Which TWO of the following techniques should they choose?

Question 14hardmulti select
Read the full DNS explanation →

During a penetration test, you need to enumerate all DNS records for example.com using a zone transfer. Which TWO tools can be used to attempt this?

Question 15mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following are valid Nmap port states?

Question 16easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to perform passive reconnaissance on a target organization without generating any traffic to the target's network. Which of the following techniques would be MOST appropriate?

Question 17easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following tools is specifically designed to perform Google dorking and automate searching for vulnerable web applications and sensitive information?

Question 18easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, you need to identify all live hosts on a target network without being detected by intrusion detection systems. Which Nmap flag would BEST achieve this?

Question 19mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester executes the following command: nmap -sS -p 1-1000 --script banner 192.168.1.10. After the scan, the tester notices several filtered ports. Which of the following BEST explains why Nmap reports a port as "filtered"?

Question 20mediummultiple choice
Read the full DNS explanation →

A security analyst is performing reconnaissance on a target domain and wants to discover all subdomains using DNS enumeration. Which of the following commands would be MOST effective for performing a DNS zone transfer attempt?

Question 21mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, you run the following command: hping3 -S -p 80 --flood 192.168.1.100. What is the PRIMARY purpose of this command?

Question 22mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester is conducting a vulnerability scan against a target network. Which of the following tools is BEST suited for this task?

Question 23mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

An attacker uses a technique where they send a SYN packet with a spoofed source IP address to the target, and the target responds with SYN/ACK to the spoofed IP. The attacker never completes the handshake. This technique is known as:

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst receives an alert from the IDS indicating a port scan originating from IP 10.0.0.5. Upon investigation, the analyst finds that 10.0.0.5 is a legitimate internal server. Which type of scan is the attacker likely using to evade detection?

Question 25mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following OSINT techniques would be MOST effective for discovering email addresses and employee names associated with a target organization?

Question 26hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester is trying to evade an IDS that detects out-of-order TCP packets. The tester uses Nmap with the -f flag. What is the PRIMARY effect of this flag?

Question 27hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

You are performing a penetration test and need to quickly scan a large IP range (e.g., 10.0.0.0/8) for open ports 80 and 443. Which tool is BEST suited for this high-speed scanning task?

Question 28easymulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are passive reconnaissance techniques? (Select 2)

Question 29mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following Nmap flags can be used to bypass firewall restrictions? (Select 2)

Question 30hardmulti select
Read the full DNS explanation →

Which THREE of the following are valid DNS record types that an attacker might query during reconnaissance to gather information about a target domain? (Select 3)

Question 31mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst runs `nmap -sS -sV -A 192.168.1.100` and obtains open ports and service versions. However, the analyst suspects the target is behind an IDS/IPS. Which Nmap technique would BEST evade detection while still performing a similar scan?

Question 32mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, you execute `theHarvester -d example.com -b google,linkedin`. What type of data is this tool primarily designed to collect?

Question 33hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

An attacker uses `nmap -sI 10.0.0.5 192.168.1.10` to scan a target. This technique is known as an idle scan. Which condition is REQUIRED for this scan to work correctly?

Question 34easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following techniques is considered PASSIVE reconnaissance?

Question 35hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst observes unusual outbound traffic from an internal host to an external IP on port 443. The analyst suspects a reverse shell where the internal host initiates an HTTPS connection to the attacker. Which Nmap script would be MOST useful to confirm the nature of this traffic if the analyst can run a scan on the internal host?

Question 36easymultiple choice
Read the full DNS explanation →

What is the PRIMARY purpose of performing a DNS zone transfer?

Question 37mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester wants to identify live hosts on a large IP range without generating excessive network traffic. Which tool is BEST suited for fast host discovery?

Question 38mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which Google dork would a penetration tester use to find login pages that are indexed by Google?

Question 39easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a security assessment, a tester uses `nmap -sU 192.168.1.1`. What type of scan does this command perform?

Question 40mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester is scanning a target and receives the output: 'PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https'. Which Nmap flag was MOST likely used to obtain this output?

Question 41hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

An attacker sends a TCP SYN packet to a port and receives a TCP RST packet in response. According to Nmap's port state classification, what is the state of this port?

Question 42mediummultiple choice
Read the full DNS explanation →

During a reconnaissance phase, a tester uses `dnsrecon -d example.com -t axfr`. What specific DNS query is being attempted?

Question 43mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to perform passive reconnaissance on a target domain. Which TWO of the following methods are considered passive? (Choose 2)

Question 44mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following are examples of OSINT techniques? (Choose 3)

Question 45hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester runs `nmap -sS -sV -O -p- 192.168.1.10` and receives the following output snippet: 'PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 80/tcp open http Apache httpd 2.4.6 443/tcp open ssl/http Apache httpd 2.4.6'. Which THREE pieces of information can the tester derive from this output? (Choose 3)

Question 46easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to gather information about a target domain without directly interacting with its systems. Which technique would be MOST appropriate?

Question 47mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, you run the following command: nmap -sV -p 80 --script http-title 192.168.1.10. The output shows that port 80 is open and the HTTP title is 'Login Portal'. Which phase of the penetration testing methodology does this activity represent?

Question 48hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst observes that an Nmap SYN scan against a target network returns all ports as 'filtered'. The analyst suspects an IDS/IPS is dropping inbound SYN packets. Which Nmap technique would MOST likely bypass this detection while still identifying open ports?

Question 49mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester is performing reconnaissance and wants to identify email addresses associated with a target domain. Which tool is specifically designed for this purpose?

Question 50hardmultiple choice
Read the full DNS explanation →

During a security assessment, you execute: dnsenum --enum example.com. The tool returns results including the nameservers (NS), mail servers (MX), and performs a zone transfer attempt. The zone transfer fails. What is the MOST likely reason for the failure?

Question 51easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following best describes the difference between active and passive reconnaissance?

Question 52mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst runs the following command: hping3 -S -p 80 -c 1 192.168.1.1. The response received is an RST/ACK packet. What does this indicate about port 80 on the target?

Question 53mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which Google dork query would an attacker most likely use to find login pages on a web server?

Question 54hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester uses the following Nmap command: nmap -sS -O -p 1-1000 10.0.0.1. The output shows port 22 as open, and OS detection suggests 'Linux 2.6.x'. The tester then runs: nmap -sV -p 22 10.0.0.1. What additional information does the second scan provide?

Question 55easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

What is the primary purpose of using the Nmap flag -sS?

Question 56mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst receives an alert that an external IP address is sending fragmented packets to the company's web server on port 80. The analyst suspects the attacker is using Nmap with fragmentation. Which Nmap flag is being used to fragment the probe packets?

Question 57mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following tools would be BEST to use for identifying all live hosts in a large IP range (e.g., 10.0.0.0/8) quickly?

Question 58mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are passive reconnaissance techniques?

Question 59hardmulti select
Read the full DNS explanation →

Which THREE of the following are correct statements about DNS zone transfers?

Question 60mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following Nmap scans are considered 'stealth' scans that do not complete a full TCP three-way handshake?

Question 61mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

Question 62easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, a tester wants to gather email addresses, subdomains, and employee names associated with a target domain. Which of the following tools is specifically designed for such passive reconnaissance?

Question 63hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security team detects unusual outbound traffic from a host that appears to be a reverse shell. Which of the following Nmap features would be MOST effective for identifying the service running on the listening port of the command-and-control server?

Question 64mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester uses the following Google dork: site:example.com filetype:pdf inurl:confidential. What is the MOST likely goal of this search?

Question 65hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a security assessment, a tester runs hping3 with the command: hping3 -S -p 80 -c 5 10.0.0.1. The response shows that packets with the SYN flag set receive SYN-ACK replies. Which of the following conclusions is MOST accurate?

Question 66easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to identify all live hosts on a network without generating excessive traffic. Which of the following techniques is MOST appropriate for this purpose?

Question 67mediummultiple choice
Read the full DNS explanation →

A security engineer is concerned about DNS zone transfer attacks. Which of the following countermeasures would be MOST effective in preventing unauthorized zone transfers?

Question 68mediummultiple choice
Read the full DNS explanation →

A penetration tester receives the following output from a tool: 'Starting dnsrecon.py -d example.com -t axfr' and then a list of all DNS records. Which of the following BEST describes what occurred?

Question 69mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

An analyst wants to perform a SYN flood attack test against a server to evaluate its resilience. Which of the following tools would be the MOST appropriate for this task?

Question 70hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, a tester uses Nmap with the command: nmap -sS -D RND:10 192.168.1.100. After the scan, the IDS logs show multiple SYN packets from different source IPs hitting the target. However, the tester's true IP is not among them. Which of the following techniques is being used?

Question 71easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following tools is specifically designed to search the internet for exposed devices and services, such as industrial control systems and webcams, using banners and metadata?

Question 72mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester runs the following command: masscan 10.0.0.0/24 -p80,443,8080 --rate=10000. Compared to Nmap, what is the PRIMARY advantage of using Masscan for this scan?

Question 73mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are passive reconnaissance techniques? (Select 2)

Question 74hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following Nmap flags are commonly used for evasion techniques? (Select 3)

Question 75easymulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are valid port states that Nmap can report? (Select 2)

Question 76easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to gather information about a target domain using publicly available sources without directly interacting with the target’s systems. Which type of reconnaissance is being performed?

Question 77easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which command-line tool is specifically designed to extract email addresses, subdomains, and other information from public sources (e.g., search engines, social media) for a given domain?

Question 78mediummultiple choice
Read the full DNS explanation →

During a penetration test, a tester runs 'dnsrecon -d example.com -t axfr' and receives a full list of DNS records. What does this indicate about the target's DNS configuration?

Question 79mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

An analyst executes 'nmap -sU -p 161,162 10.0.0.1'. What is the primary purpose of this scan?

Question 80mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

While performing reconnaissance, a tester uses a Google dork to find login pages exposed on the internet. Which of the following is an example of a Google dork that could be used for this purpose?

Question 81hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester runs 'nmap -sS -p 80 --script http-title 192.168.1.100' and receives output indicating port 80 is 'filtered'. What does the 'filtered' state imply?

Question 82hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

An attacker uses an idle scan with Nmap to probe a target. This technique relies on a third-party host with a predictable IP ID sequence to infer port states. Which Nmap flag enables an idle scan?

Question 83mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a security assessment, a tester uses Netcat to connect to a target's SMTP port and receive the service banner. Which command would achieve this?

Question 84mediummultiple choice
Review the full subnetting walkthrough →

A security analyst is asked to perform a fast scan of a large network (e.g., /16 subnet) to identify live hosts. Which tool is MOST suitable for this task due to its high speed?

Question 85easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following techniques involves sending crafted packets to a target to elicit responses that reveal the operating system?

Question 86mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

An incident responder notices unusual outbound traffic from a host that is communicating with an external IP on port 4444. The traffic appears to be encrypted. Which tool could be used to initiate a connection to that external IP to gather a banner for service identification?

Question 87hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst runs a vulnerability scan with Nessus and receives a report indicating that multiple hosts have the 'MS17-010' vulnerability. What is the MOST likely impact of this vulnerability if exploited?

Question 88mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following Nmap flags are used for evasion of IDS/IPS? (Choose two.)

Question 89mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following are common techniques used during the footprinting phase? (Choose three.)

Question 90hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester is conducting reconnaissance and wants to identify live hosts in a range without being detected. Which TWO techniques would be MOST appropriate? (Choose two.)

Question 91easymultiple choice
Read the full DNS explanation →

A security analyst wants to discover all DNS records associated with a domain without triggering a full zone transfer. Which tool is BEST suited for this task?

Question 92mediummultiple choice
Read the full network assurance explanation →

During a penetration test, you run the command: nmap -sU -p 161,162 --script=snmp-brute 192.168.1.100. Which of the following is the PRIMARY goal of this scan?

Question 93hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst notices that their Nmap scan results show all ports as 'filtered' despite the target host being alive and responsive to ping. Which of the following is the MOST likely cause?

Question 94easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following Google dorks would an attacker MOST likely use to find login pages of web applications that are publicly accessible?

Question 95mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a reconnaissance phase, a penetration tester uses Shodan to search for devices with a specific open port. Which of the following BEST describes what Shodan provides beyond a simple port scan?

Question 96hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst runs the Nmap command: nmap -sI 192.168.1.50 -p 80 10.0.0.1. The scan completes, but the target shows no open ports. What is the MOST likely explanation?

Question 97mediummultiple choice
Review the full subnetting walkthrough →

A penetration tester wants to perform a ping sweep on a /24 subnet to identify live hosts. Which command would accomplish this efficiently?

Question 98easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following is a passive OS fingerprinting technique that does NOT send any packets to the target?

Question 99mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to perform banner grabbing on a web server without establishing a full TCP connection. Which tool would be MOST appropriate?

Question 100hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a vulnerability scan using Nessus, a security analyst discovers that the target host shows a 'High' severity vulnerability for 'SSL/TLS Renegotiation DoS'. What does this vulnerability indicate?

Question 101mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following Nmap flags would an attacker use to evade IDS by sending fragmented IP packets?

Question 102easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester uses theHarvester to gather information about a target domain. Which of the following data types is theHarvester PRIMARILY designed to collect?

Question 103mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following techniques are considered passive reconnaissance? (Select exactly 2.)

Question 104hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following are valid Nmap flags that can be used to evade detection by an IDS? (Select exactly 3.)

Question 105mediummulti select
Read the full DNS explanation →

A penetration tester wants to perform DNS zone transfer enumeration. Which TWO of the following tools can be used for this purpose? (Select exactly 2.)

Question 106mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst performs a passive reconnaissance of a target domain using public resources. Which of the following techniques would be considered passive reconnaissance?

Question 107easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, the tester wants to discover all subdomains of a target domain using an OSINT technique. Which tool is specifically designed for subdomain enumeration via search engines and public records?

Question 108mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst notices a large number of incomplete TCP connections (SYN_RECV) on a server. Which Nmap scan type is the MOST likely cause of this symptom?

Question 109hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester uses the following Google dork: intitle:"index of" "backup" site:example.com. What is the MOST likely goal of this search?

Question 110mediummultiple choice
Read the full DNS explanation →

An analyst runs the following command: dnsenum --enum example.com. Which of the following actions is dnsenum performing?

Question 111easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which Nmap flag is used to perform a TCP SYN scan without completing the three-way handshake?

Question 112mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, the tester needs to identify the operating system of a remote host without sending any packets to it. Which technique should the tester use?

Question 113hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst runs the command: nmap -sS -p 80,443,8080 --script http-headers scanme.nmap.org. The output shows that port 80 is filtered. What does 'filtered' mean in this context?

Question 114easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following tools is specifically designed for high-speed port scanning across large address spaces?

Question 115mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester wants to evade an IDS while scanning a target network. The tester uses the Nmap command: nmap -sS -f 10.10.10.1. What does the -f flag accomplish?

Question 116hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst observes the following Nmap output for a target host: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https. The analyst then runs a version detection scan and notices that port 80 reports 'Apache httpd 2.4.41' but port 443 reports 'Apache httpd 2.4.41' as well. What is the MOST likely conclusion?

Question 117easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a vulnerability assessment, which of the following tools is a comprehensive vulnerability scanner that uses a plugin architecture to detect thousands of vulnerabilities?

Question 118mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are examples of active reconnaissance techniques? (Select two)

Question 119hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following Nmap options can be used to evade detection by IDS/IPS? (Select three)

Question 120mediummulti select
Read the full DNS explanation →

A penetration tester is conducting DNS enumeration. Which TWO of the following tools are specifically designed for DNS enumeration? (Select two)

Question 121easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following tools is PRIMARILY used for passive OSINT gathering and can query multiple search engines, social media platforms, and public databases to collect information about a target?

Question 122mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst runs `nmap -sU -p 161,162 10.0.0.1` and receives output showing port 161/udp is open. Which service is MOST likely running on this port?

Question 123mediummultiple choice
Read the full DNS explanation →

During a penetration test, you execute a DNS zone transfer request against a target domain and succeed. Which type of DNS record would you expect to reveal the mail servers for the domain?

Question 124mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO techniques are considered active reconnaissance? (Choose TWO.)

Question 125easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester wants to perform a stealthy TCP scan that does not complete the three-way handshake. Which Nmap flag should be used?

Question 126hardmultiple choice
Read the full DNS explanation →

You are investigating a suspected data exfiltration. Network logs show an internal host performing numerous DNS queries to a domain that does not exist in any organization records. The queries use various subdomains. Which technique is the attacker MOST likely using?

Question 127hardmulti select
Read the full DNS explanation →

Which THREE of the following are common countermeasures to prevent DNS zone transfers from being abused? (Choose THREE.)

Question 128mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security team observes repeated Nmap scans from an external IP address. The scans show fragmented IP packets. Which evasion technique is the attacker using?

Question 129easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following is an example of passive OS fingerprinting?

Question 130hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a vulnerability scan with Nessus, you find that port 445/TCP is open on a Windows server. Which of the following is the MOST likely associated risk?

Question 131mediummultiple choice
Read the full DNS explanation →

A security analyst issues the command `dnsenum example.com` and receives a list of subdomains, mail servers, and name servers. What information is revealed by the presence of multiple MX records?

Question 132easymulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are considered passive reconnaissance techniques? (Choose TWO.)

Question 133mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

You need to perform a fast scan of all 65535 TCP ports on a target IP address. Which tool is specifically designed for high-speed scanning and can surpass Nmap's speed on large-scale networks?

Question 134hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following are valid Nmap NSE scripts that could be used for service version detection or vulnerability scanning? (Choose THREE.)

Question 135hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester runs `nmap -sI 192.168.1.10 -p 80 10.0.0.1` and receives output indicating port 80 is open. The scan uses a zombie host. Which type of scan is this?

Question 136easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to gather information about a target domain without sending any packets to the target. Which technique should the analyst use?

Question 137mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, the tester uses a tool that queries search engines with specific operators to find sensitive information such as login pages, exposed directories, and file types. Which tool or technique is being used?

Question 138hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester observes that an Nmap SYN scan shows all 1000 TCP ports as open. The tester suspects the target is using a security appliance that responds with SYN-ACK to all connection attempts, regardless of the actual port state. Which type of Nmap scan would be MOST effective in determining the true state of the ports?

Question 139mediummultiple choice
Read the full DNS explanation →

An incident responder analyzes logs and finds repeated failed zone transfer attempts from an external IP. The zone transfer requests are targeting the domain example.com. Which DNS record type, if misconfigured, would allow this attack to succeed?

Question 140easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following tools is specifically designed to perform fast internet-wide scanning, often used in the reconnaissance phase to discover open ports across large IP ranges?

Question 141hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester runs the following Nmap command: nmap -sU -sS -p 53,161,162,500 10.0.0.1 and receives no responses for UDP scans but standard results for TCP. The tester suspects the target is dropping all UDP packets. Which Nmap option could help increase the likelihood of UDP responses by fragmenting the probe?

Question 142easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which of the following is the PRIMARY purpose of banner grabbing during the reconnaissance phase?

Question 143mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a vulnerability assessment, a security analyst receives an alert from the IDS that a scan with fragmented packets and spoofed source IPs is targeting the internal network. Which Nmap command MOST likely caused this alert?

Question 144mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are examples of passive OS fingerprinting techniques? (Select 2)

Question 145hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following Nmap scan types are MOST effective for evading a stateful firewall that only allows established connections? (Select 2)

Question 146easymulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are common OSINT tools for passive reconnaissance? (Select 2)

Question 147mediummulti select
Read the full DNS explanation →

Which THREE of the following are valid methods to prevent DNS zone transfer attacks? (Select 3)

Question 148hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which THREE of the following are legitimate uses of the Shodan search engine in a security assessment? (Select 3)

Question 149mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following describe the state of a port when Nmap reports it as 'filtered'? (Select 2)

Question 150easymulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO of the following are examples of active reconnaissance? (Select 2)

Question 151mediummultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

Question 152hardmultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

During a penetration test, a security analyst observes that Nmap SYN scans to a target server are not returning any results, but TCP connect scans succeed. The server is running an IDS. Which evasion technique is the analyst MOST likely encountering?

Question 153easymultiple choice
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst wants to gather information about a target domain using public records without directly interacting with the target's systems. Which technique is the analyst employing?

Question 154mediummulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

Which TWO OSINT tools are commonly used to gather email addresses and subdomains associated with a target domain? (Select 2)

Question 155hardmulti select
Read the full Footprinting, Reconnaissance and Scanning explanation →

A security analyst is conducting passive reconnaissance on a target organization. Which THREE of the following are examples of passive reconnaissance techniques? (Select 3)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CEH Practice Test 1 — 10 Questions→CEH Practice Test 2 — 10 Questions→CEH Practice Test 3 — 10 Questions→CEH Practice Test 4 — 10 Questions→CEH Practice Test 5 — 10 Questions→CEH Practice Exam 1 — 20 Questions→CEH Practice Exam 2 — 20 Questions→CEH Practice Exam 3 — 20 Questions→CEH Practice Exam 4 — 20 Questions→Free CEH Practice Test 1 — 30 Questions→Free CEH Practice Test 2 — 30 Questions→Free CEH Practice Test 3 — 30 Questions→CEH Practice Questions 1 — 50 Questions→CEH Practice Questions 2 — 50 Questions→CEH Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAdvanced Topics: Wireless, Cloud, IoT, CryptographyFootprinting and ReconnaissanceNetwork and Web Application AttacksWireless, IoT and Cloud SecurityCryptography and Malware AnalysisSocial Engineering and Physical Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Footprinting, Reconnaissance and Scanning setsAll Footprinting, Reconnaissance and Scanning questionsCEH Practice Hub