Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCEHTopicsFootprinting, Reconnaissance and Scanning
Free · No Signup RequiredEC-Council · CEH

CEH Footprinting, Reconnaissance and Scanning Practice Questions

20+ practice questions focused on Footprinting, Reconnaissance and Scanning — one of the most tested topics on the Certified Ethical Hacker CEH exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Footprinting, Reconnaissance and Scanning Practice

Exam Domains

Footprinting, Reconnaissance and ScanningEnumeration and System HackingMalware, Social Engineering and Network AttacksWeb Application and Injection AttacksIntroduction to Ethical HackingScanning Networks and EnumerationVulnerability Analysis and System HackingAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Footprinting, Reconnaissance and Scanning Questions

Practice all 20+ →
1.

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform a full TCP connect scan with UDP service detection on all ports
B.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
C.Perform an aggressive scan of all open ports and enumerate SMB shares
D.Perform a UDP scan on the four specified ports and identify running services

Explanation: Option B is correct because the `-sS` flag initiates a TCP SYN stealth scan, `-sV` enables service version detection, and `-O` attempts OS fingerprinting. The `-p 22,80,443,3389` limits the scan to those four ports, and the target `192.168.1.0/24` scans the entire Class C subnet. This combination performs a half-open scan on the specified ports, probes for application versions, and tries to identify the operating system of each live host.

2.

During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?

A.theHarvester
B.Nmap
C.Netcat
D.Wireshark

Explanation: theHarvester is specifically designed for passive reconnaissance by querying public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API to collect email addresses, subdomains, and employee names without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement of gathering OSINT data without direct interaction.

3.

A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?

A.The server is performing a DNS lookup to resolve the malicious IP address
B.The web application is sending log data to a SIEM system for analysis
C.A vulnerability discovered during the scan was exploited, establishing a reverse shell connection to the attacker
D.The vulnerability scan caused a false positive and triggered a legitimate backup process

Explanation: Option C is correct because outbound traffic on port 4444 from an internal server to a known malicious IP is a classic indicator of a reverse shell connection. A reverse shell is a common post-exploitation technique where an attacker forces the victim server to connect back to their listener, often on high ports like 4444, bypassing inbound firewall rules. The timing after a vulnerability scan strongly suggests that a discovered vulnerability (e.g., command injection, RCE) was exploited to establish this shell.

4.

During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?

A.The DNS server is using DNSSEC to secure zone transfers
B.The DNS server is vulnerable to zone transfer attacks, allowing unauthorized users to retrieve the entire zone file
C.The DNS server is properly configured and only allows zone transfers to authorized secondary servers
D.The target uses a split-DNS configuration with internal and external views

Explanation: The successful execution of `dnsrecon -d example.com -t axfr` and the receipt of an AXFR (full zone transfer) response indicates that the target DNS server is misconfigured to allow zone transfers from any host. A properly secured DNS server should restrict AXFR queries to only authorized secondary (slave) servers, typically by IP address or TSIG (Transaction Signature) keys. Since the command was run from an unauthorized client, this confirms a zone transfer vulnerability, allowing an attacker to retrieve the entire DNS zone file, which reveals all hostnames, IP addresses, and service records.

5.

Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?

A.site:admin login
B.filetype:pdf admin login
C.intitle:"login" inurl:admin
D.inurl:"admin" inurl:"login"

Explanation: Option D is correct because the Google dork `inurl:"admin" inurl:"login"` specifically searches for pages where both 'admin' and 'login' appear in the URL. This is a precise way to find login pages on administrative interfaces, as it targets URLs containing both terms, which is a common pattern for admin login portals.

+15 more Footprinting, Reconnaissance and Scanning questions available

Practice all Footprinting, Reconnaissance and Scanning questions

How to master Footprinting, Reconnaissance and Scanning for CEH

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Footprinting, Reconnaissance and Scanning. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Footprinting, Reconnaissance and Scanning questions on the CEH frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CEH Footprinting, Reconnaissance and Scanning questions are on the real exam?

The exact number varies per candidate. Footprinting, Reconnaissance and Scanning is tested as part of the Certified Ethical Hacker CEH blueprint. Practicing with targeted Footprinting, Reconnaissance and Scanning questions ensures you can handle any format or difficulty that appears.

Are these CEH Footprinting, Reconnaissance and Scanning practice questions free?

Yes. Courseiva provides free CEH practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Footprinting, Reconnaissance and Scanning one of the harder CEH topics?

Difficulty is subjective, but Footprinting, Reconnaissance and Scanning is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Footprinting, Reconnaissance and Scanning practice session with instant scoring and detailed explanations.

Start Footprinting, Reconnaissance and Scanning Practice →

Topic Info

Topic

Footprinting, Reconnaissance and Scanning

Exam

CEH

Questions available

20+