20+ practice questions focused on Footprinting, Reconnaissance and Scanning — one of the most tested topics on the Certified Ethical Hacker CEH exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Footprinting, Reconnaissance and Scanning PracticeA security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?
Explanation: Option B is correct because the `-sS` flag initiates a TCP SYN stealth scan, `-sV` enables service version detection, and `-O` attempts OS fingerprinting. The `-p 22,80,443,3389` limits the scan to those four ports, and the target `192.168.1.0/24` scans the entire Class C subnet. This combination performs a half-open scan on the specified ports, probes for application versions, and tries to identify the operating system of each live host.
During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?
Explanation: theHarvester is specifically designed for passive reconnaissance by querying public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API to collect email addresses, subdomains, and employee names without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement of gathering OSINT data without direct interaction.
A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?
Explanation: Option C is correct because outbound traffic on port 4444 from an internal server to a known malicious IP is a classic indicator of a reverse shell connection. A reverse shell is a common post-exploitation technique where an attacker forces the victim server to connect back to their listener, often on high ports like 4444, bypassing inbound firewall rules. The timing after a vulnerability scan strongly suggests that a discovered vulnerability (e.g., command injection, RCE) was exploited to establish this shell.
During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?
Explanation: The successful execution of `dnsrecon -d example.com -t axfr` and the receipt of an AXFR (full zone transfer) response indicates that the target DNS server is misconfigured to allow zone transfers from any host. A properly secured DNS server should restrict AXFR queries to only authorized secondary (slave) servers, typically by IP address or TSIG (Transaction Signature) keys. Since the command was run from an unauthorized client, this confirms a zone transfer vulnerability, allowing an attacker to retrieve the entire DNS zone file, which reveals all hostnames, IP addresses, and service records.
Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?
Explanation: Option D is correct because the Google dork `inurl:"admin" inurl:"login"` specifically searches for pages where both 'admin' and 'login' appear in the URL. This is a precise way to find login pages on administrative interfaces, as it targets URLs containing both terms, which is a common pattern for admin login portals.
+15 more Footprinting, Reconnaissance and Scanning questions available
Practice all Footprinting, Reconnaissance and Scanning questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Footprinting, Reconnaissance and Scanning. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Footprinting, Reconnaissance and Scanning questions on the CEH frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Footprinting, Reconnaissance and Scanning is tested as part of the Certified Ethical Hacker CEH blueprint. Practicing with targeted Footprinting, Reconnaissance and Scanning questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CEH practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Footprinting, Reconnaissance and Scanning is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Footprinting, Reconnaissance and Scanning practice session with instant scoring and detailed explanations.
Start Footprinting, Reconnaissance and Scanning Practice →