18+ practice questions focused on Footprinting and Reconnaissance — one of the most tested topics on the Certified Ethical Hacker CEH exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Footprinting and Reconnaissance PracticeA penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?
Explanation: A WHOIS lookup against the target domain returns registration details that include the organization's network range (via the 'NetRange' or 'CIDR' fields) and the ISP (via the 'OrgName' or 'descr' fields). This directly maps to the footprinting goal of identifying the target's IP address block and upstream provider, as defined in RFC 3912 and common WHOIS database schemas.
During the reconnaissance phase, a tester discovers that the target company's email server is configured to automatically respond to delivery status notifications (DSNs). Which type of attack could this information facilitate?
Explanation: Email servers that automatically respond to Delivery Status Notifications (DSNs) as defined in RFC 1891/3464 can be exploited for email enumeration. By sending a message to a non-existent address, the DSN response will indicate the address is invalid, while a valid address may generate no DSN or a different response. This allows an attacker to systematically verify valid email addresses on the target domain without triggering a full bounce-back to the original sender.
A security analyst is tasked with performing passive reconnaissance on a target organization. Which of the following is the BEST approach to gather information about the target's technology stack without directly interacting with the target's systems?
Explanation: Shodan is a search engine that indexes banners from internet-connected devices, allowing an analyst to discover a target's exposed services, open ports, and technology stack (e.g., web servers, SSH versions, IoT devices) without sending any packets to the target's systems. This makes it a purely passive reconnaissance technique, as it relies on Shodan's pre-collected data rather than direct interaction.
An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?
Explanation: The `site:` operator in search engines (e.g., Google) allows an ethical hacker to enumerate publicly indexed subdomains of a target domain by querying `site:*.targetdomain.com`. This technique leverages the search engine's crawl data to discover subdomains that are publicly accessible but may not be linked from the main site, making it the most effective method for passive, public-information-only reconnaissance.
During footprinting, a tester finds that the target's DNS server allows recursive queries from the internet. What is the MOST significant security implication of this finding?
Explanation: Option D is correct because a DNS server that allows recursive queries from the internet can be exploited in a DNS amplification attack, a type of denial-of-service (DoS) attack. The attacker sends a small query with a spoofed source IP (the victim's IP) to the open recursive resolver, which responds with a much larger response (e.g., using the ANY record type), amplifying traffic up to 50-100 times. This floods the victim's network, making the DNS server an unwitting participant in the attack.
+13 more Footprinting and Reconnaissance questions available
Practice all Footprinting and Reconnaissance questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Footprinting and Reconnaissance. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Footprinting and Reconnaissance questions on the CEH frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Footprinting and Reconnaissance is tested as part of the Certified Ethical Hacker CEH blueprint. Practicing with targeted Footprinting and Reconnaissance questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CEH practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Footprinting and Reconnaissance is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Footprinting and Reconnaissance practice session with instant scoring and detailed explanations.
Start Footprinting and Reconnaissance Practice →