Practice PT0-002 Information Gathering and Vulnerability Scanning questions with full explanations on every answer.
Start practicing
Information Gathering and Vulnerability Scanning — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a penetration test, you need to gather information about a target's email addresses and employee names without directly interacting with the target's systems. Which tool is most appropriate for this passive reconnaissance task?
2You are performing a vulnerability scan on a web application and notice that the scanner reports a high-severity SQL injection vulnerability. However, manual testing confirms that the input is properly sanitized. Which term best describes this situation?
3Which Nmap scan type sends SYN packets to determine open ports without completing the TCP three-way handshake?
4You are conducting a penetration test and need to identify subdomains of a target domain using a passive approach that does not generate traffic to the target's servers. Which technique should you use?
5During a penetration test, you want to discover API endpoints and hidden parameters in a web application. Which tool combination is most effective for this task?
6Which tool is specifically designed for scanning WordPress websites to detect vulnerabilities, such as outdated plugins, themes, and weak passwords?
7You are performing a network scan and need to identify live hosts on a subnet without triggering firewalls that block ICMP. Which technique should you use?
8During a penetration test, you find a web application that uses JavaScript to make API calls. You want to discover hidden API endpoints and potential secrets (e.g., API keys) embedded in the client-side code. Which approach is most appropriate?
9In the context of OSINT, which resource would you use to find historical versions of a company's website that may reveal outdated information or hidden directories?
10You are performing a vulnerability scan on an internal network using an authenticated scanner. Which of the following is a primary benefit of authenticated scanning compared to unauthenticated scanning?
11During a penetration test, you want to perform a stealthy port scan that minimizes the chance of being logged by the target. Which Nmap option should you use?
12You are tasked with identifying the technologies used by a web application (e.g., web server, frameworks, libraries) during the reconnaissance phase. Which tool would you use?
13You are conducting passive reconnaissance on a target organization. Which of the following are examples of passive reconnaissance techniques? (Select TWO.)
14During a penetration test, you need to enumerate SNMP information from network devices. Which of the following tools or commands can be used for SNMP enumeration? (Select TWO.)
15You are performing reconnaissance on a target's web application. Which of the following techniques can be used to discover hidden directories and files? (Select THREE.)
16A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools would be BEST suited to gather information about the organization's domain names, email addresses, and subdomains from publicly available sources without directly interacting with the target's systems?
17During the information gathering phase, a penetration tester wants to discover subdomains of a target domain using DNS queries and potentially brute-forcing common subdomain names. Which of the following tools is specifically designed for subdomain enumeration and can perform both passive and active techniques?
18A penetration tester is conducting active reconnaissance on a target network and wants to perform a SYN scan to identify open ports without completing the full TCP handshake. Which Nmap flag should the tester use?
19After gaining initial access to an internal network, a penetration tester wants to identify live hosts on a subnet without generating excessive traffic. Which Nmap command would be most appropriate for host discovery using ICMP echo requests and TCP SYN to port 80?
20A penetration tester is performing web application reconnaissance and wants to discover API endpoints and hidden parameters that may not be linked from the main application. Which technique would be most effective for this purpose?
21A penetration tester is performing a vulnerability scan on a web server using Nikto. After the scan, the tester notices several findings related to outdated software versions and missing security headers. What should the tester do to validate the findings and reduce false positives?
22During a penetration test, the tester wants to gather information about a target using publicly available DNS records, including mail servers, name servers, and possibly TXT records. Which type of DNS query would be most useful for obtaining a comprehensive list of these records?
23A penetration tester is using Shodan to identify internet-facing devices associated with a target organization. Which of the following is Shodan's primary function in the context of passive reconnaissance?
24A penetration tester is conducting a web application assessment and discovers that the target uses WordPress. The tester wants to identify installed plugins, themes, and potential vulnerabilities. Which of the following tools is best suited for this task?
25During the information gathering phase, a penetration tester uses Google dorks to find exposed documents on a target's website. Which Google dork would be most appropriate to find PDF files containing sensitive information?
26A penetration tester is performing service enumeration on a discovered host and wants to grab banners from open ports to identify the exact software and version running. Which of the following command-line tools would be most appropriate for this task?
27A penetration tester is using OpenVAS to perform an authenticated vulnerability scan of a Linux server. The tester has provided valid SSH credentials. Which of the following is a primary benefit of performing an authenticated scan over an unauthenticated scan?
28A penetration tester is conducting passive reconnaissance using OSINT techniques. Which TWO of the following are examples of passive OSINT sources?
29A penetration tester is performing host discovery on a subnet. Which TWO of the following Nmap options can be used to discover live hosts?
30A penetration tester is assessing a web application and wants to discover hidden directories, files, and parameters. Which THREE of the following tools are most appropriate for this task?
31A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools is best suited for gathering information from public sources such as search engines, social media, and website scraping?
32During a penetration test, you are asked to discover all live hosts on a subnet without generating excessive traffic or being too intrusive. Which Nmap command best achieves this goal?
33A penetration tester uses Shodan to find internet-facing devices belonging to a target company. Which of the following Shodan search filters would most effectively identify devices with a specific organization name?
34While performing web application reconnaissance, a tester wants to enumerate hidden directories and files on a web server. Which of the following tools is specifically designed for directory brute-forcing?
35A penetration tester is conducting active reconnaissance and wants to perform a SYN scan on a target network. During the scan, the tester notices that some ports are reported as filtered. What does a filtered port status typically indicate in Nmap?
36When performing vulnerability scanning, which of the following best describes a false positive?
37A penetration tester is using Nmap to identify the operating system of a target host. Which Nmap option should be used to enable OS detection?
38A tester is performing DNS enumeration on a domain and wants to attempt a zone transfer. Which DNS record type is primarily used for zone transfers?
39During a web application penetration test, the tester wants to identify the technologies used by the target website. Which of the following tools is best suited for technology fingerprinting?
40Which of the following is a common community string used in SNMP enumeration?
41A penetration tester is evaluating the security of a WordPress site. Which tool is specifically designed to scan WordPress installations for vulnerabilities?
42During a penetration test, the tester runs an Nmap scan with the -sV option and gets a result showing 'Apache httpd 2.4.49'. This version is known to be vulnerable to a path traversal attack. Which of the following best describes the next step the tester should take?
43A penetration tester is performing passive reconnaissance on a target organization. Which TWO of the following sources can provide information about the organization's historical web content? (Select TWO.)
44A penetration tester is conducting active reconnaissance on a target network and wants to enumerate SNMP information. Which TWO of the following tools or commands can be used to query SNMP data from network devices? (Select TWO.)
45During a web application penetration test, the tester wants to discover hidden API endpoints. Which THREE of the following techniques can be used to achieve this? (Select THREE.)
46A penetration tester is conducting passive reconnaissance on a target organization. Which of the following tools is specifically designed for gathering OSINT by extracting email addresses, subdomains, and employee names from public sources?
47During a penetration test, the tester wants to identify live hosts on a network without performing a full port scan. Which Nmap command is most appropriate for this task?
48A penetration tester is performing active reconnaissance on a web application and wants to discover hidden directories and files. Which tool would be most effective for brute-forcing directory names based on a wordlist?
49A tester is scanning a target network using Nmap. The client wants minimal disruption and asks to avoid completing TCP three-way handshakes. Which scan type should the tester use?
50While performing vulnerability scanning, a penetration tester runs a Nessus scan against a web server. The report shows a 'critical' finding, but after manual verification, the tester determines the service is not actually vulnerable. This scenario best describes:
51A penetration tester is performing DNS reconnaissance and wants to enumerate all subdomains of a target domain by querying DNS servers in an attempt to transfer the entire zone file. Which technique is the tester using?
52A tester wants to identify the technologies used by a web application before conducting a deeper assessment. Which tool would be most appropriate for passive technology fingerprinting?
53During a penetration test, the tester wants to discover publicly exposed IoT devices related to the target organization. Which OSINT tool is specifically designed for searching devices connected to the internet?
54A penetration tester is analyzing a web application and wants to discover hidden API endpoints by brute-forcing common paths. Which tool is best suited for this task?
55A penetration tester is performing internal network scanning and wants to identify live hosts on a local subnet without sending IP packets. Which method is most effective in a switched Ethernet environment?
56A penetration tester is reviewing SSL/TLS certificate information for a target domain and wants to discover additional subdomains that share the same certificate. Which resource is best for this purpose?
57Which of the following tools would best assist a penetration tester in identifying known vulnerabilities in a WordPress installation?
58A penetration tester is conducting passive reconnaissance and wants to gather information about a target organization's employees, email addresses, and internal structure. Which TWO tools are best suited for this purpose? (Select TWO.)
59A penetration tester is performing active reconnaissance on a web application and needs to discover parameters that the application accepts. Which TWO tools are most commonly used for parameter discovery? (Select TWO.)
60A penetration tester is preparing to perform an authenticated vulnerability scan of a network. Which THREE of the following are important considerations before starting the scan? (Select THREE.)
61A penetration tester is performing passive reconnaissance and wants to identify subdomains associated with a target domain without directly querying the target's DNS servers. Which tool is specifically designed for this purpose?
62During a penetration test, a tester discovers a web application that uses JavaScript to load API endpoints dynamically. Which technique would be most effective for discovering hidden API endpoints?
63A penetration tester is tasked with performing an authenticated vulnerability scan of a Windows network. The tester has domain admin credentials. Which tool is most appropriate for this task?
64A penetration tester runs a SYN scan against a target and receives SYN-ACK responses from several ports. The tester then runs version detection on those ports. What is the primary purpose of version detection?
65A penetration tester is using Google dorks to find sensitive information about a target organization. Which search operator would help the tester find PDF files containing the word 'confidential' on the target's website?
66During a penetration test, a tester wants to discover all live hosts on a subnet without performing a full port scan. Which Nmap command is most appropriate for this purpose?
67A penetration tester is assessing a web application and wants to identify hidden parameters that the application accepts. Which tool is specifically designed for parameter discovery?
68A penetration tester is performing SNMP enumeration on a target network. Which command would likely be used to extract information from a device with the community string 'public'?
69Which of the following tools is most commonly used for passive reconnaissance by querying certificate transparency logs to discover subdomains?
70A penetration tester wants to perform a directory brute-force attack against a web server to discover hidden files and directories. Which tool is best suited for this task?
71During a penetration test, a tester uses the Wayback Machine to review historical versions of the target's website. What is the primary benefit of this activity?
72A penetration tester is using Nmap to perform an aggressive scan of a target. Which command combines OS detection, version detection, script scanning, and traceroute?
73A penetration tester is performing active reconnaissance on a target web application. Which TWO tools are specifically designed for directory and file enumeration? (Select TWO.)
74A penetration tester is conducting a vulnerability assessment and wants to minimize false positives. Which THREE actions should the tester take? (Select THREE.)
75A penetration tester is performing initial reconnaissance on a target domain. Which THREE sources can provide historical data about the target? (Select THREE.)
76During a penetration test, the tester wants to gather information about the target organization's domain registration and contact details without sending any traffic to the target. Which OSINT source should the tester use first?
77A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to discover subdomains and associated email addresses without directly interacting with the target's infrastructure. Which combination of tools and sources would be most effective for this task?
78During a penetration test, the tester performs a SYN scan with Nmap on a target network. The results show that port 443 is open on a web server. The tester then runs a service version detection scan and discovers the server is running Apache 2.4.41. Which Nmap flags were used in sequence?
79A penetration tester is using Nmap to perform host discovery on a target network 192.168.1.0/24. The tester wants to identify live hosts without scanning ports. Which Nmap command should be used?
80A penetration tester is performing active reconnaissance on a target network and wants to enumerate SNMP devices to gather system information. The tester uses snmpwalk with a common community string. Which community string is most likely to provide read-write access if misconfigured?
81A penetration tester is conducting a vulnerability scan on a web server using Nikto. The scan report lists several findings, including a directory listing vulnerability and outdated server headers. Which type of scanner is Nikto?
82During a web application penetration test, the tester wants to discover hidden directories and files on the target web server. Which tool is best suited for this task, and what technique does it use?
83A penetration tester is analyzing the output of a Nessus vulnerability scan and notices a critical vulnerability reported against a web server that is actually a false positive due to outdated plugin data. What is the best course of action for the tester?
84A penetration tester wants to query Certificate Transparency logs to find all SSL/TLS certificates issued for a target domain, which may reveal subdomains. Which tool or website is specifically designed for this purpose?
85A penetration tester is performing passive reconnaissance and wants to find historical versions of the target website, including old pages that may contain sensitive information. Which resource should the tester use?
86During a penetration test, the tester runs a DNS zone transfer attempt against a target domain. The zone transfer fails. What is the most likely reason?
87A penetration tester is using theHarvester to gather email addresses associated with a target domain. The tool returns several email addresses. What is the primary limitation of using theHarvester for this purpose?
88A penetration tester is performing active reconnaissance on a target network and wants to use Nmap to identify operating systems and run default scripts against discovered services. Which two Nmap options should the tester include? (Choose TWO.)
89A penetration tester is conducting a web application reconnaissance and wants to discover API endpoints and hidden parameters. Which three tools are most appropriate for this task? (Choose THREE.)
90A penetration tester wants to perform passive reconnaissance on a target organization. Which two activities are considered passive reconnaissance? (Choose TWO.)
91A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools would be BEST for discovering subdomains and email addresses associated with the target domain without sending any packets to the target?
92During a penetration test, the tester discovers that the target web application uses a content delivery network (CDN) that hides the origin server's IP address. Which technique would BEST help identify the true IP address of the backend server?
93A penetration tester is tasked with performing active reconnaissance on an internal network. The tester wants to identify live hosts and their open ports efficiently while minimizing noise. Which Nmap scan type should be used first to quickly discover which hosts are online?
94A penetration tester has discovered a web application that appears to be built with WordPress. The tester wants to identify installed plugins, themes, and potential vulnerabilities without triggering intrusion detection systems. Which tool is BEST suited for this task?
95While performing vulnerability scanning with Nessus, a penetration tester notices that several high-severity vulnerabilities are reported for a web server, but manual verification shows the server is not vulnerable. What is the MOST likely cause of this discrepancy?
96A penetration tester wants to use Google dorking to find publicly accessible documents containing sensitive information on a target domain 'example.com'. Which Google dork would be MOST appropriate to locate PDF files with the word 'confidential'?
97During a penetration test, the tester is using Gobuster to enumerate directories on a web server. Which flag would the tester use to specify a list of file extensions to append to each word in the wordlist for discovering files like 'admin.php' or 'config.bak'?
98A penetration tester is performing a security assessment of a network that uses SNMP. The tester successfully connects to a device using the community string 'public'. Which tool would the tester MOST likely use to enumerate the entire Management Information Base (MIB) tree to extract system information, running processes, and network interfaces?
99A penetration tester is conducting passive reconnaissance and wants to find historical snapshots of a target website to identify past vulnerabilities or hidden endpoints. Which online service should the tester use?
100A penetration tester is performing active reconnaissance on a web application and wants to discover hidden API endpoints. Which TWO tools are BEST suited for this task? (Select TWO.)
101A penetration tester is tasked with performing a DNS enumeration of a target domain to discover subdomains. Which THREE tools are commonly used for subdomain bruteforcing? (Select THREE.)
102A penetration tester is analyzing a web application's JavaScript files for hardcoded secrets and API endpoints. Which THREE techniques or tools are MOST effective for this purpose? (Select THREE.)
103A penetration tester is conducting a vulnerability scan of a Linux server using OpenVAS. Which TWO scan configurations would provide the MOST comprehensive results? (Select TWO.)
104During a web application penetration test, the tester wants to discover hidden parameters that the application accepts. Which THREE tools are BEST suited for parameter bruteforcing? (Select THREE.)
105A penetration tester is performing reconnaissance on a target network and wants to identify all live hosts without sending many packets. Which TWO techniques are MOST effective for host discovery in a local subnet? (Select TWO.)
106A penetration tester is conducting passive reconnaissance against a target organization. Which TWO of the following techniques would be most appropriate for gathering information about the organization's infrastructure and employees without directly interacting with the target's systems?
107During an active reconnaissance phase, a penetration tester runs Nmap against a target and obtains the following results: Host is up, ports 22, 80, and 443 are open. The tester then runs a vulnerability scan using Nessus with unauthenticated credentials. Which THREE of the following issues should the tester be most concerned about regarding the accuracy and completeness of the Nessus scan results?
108A penetration tester is performing web application reconnaissance. The tester wants to discover hidden directories and files, identify the technologies used, and find API endpoints. Which THREE of the following tools are best suited for these tasks?
The Information Gathering and Vulnerability Scanning domain covers the key concepts tested in this area of the PT0-002 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PT0-002 domains — no account required.
The Courseiva PT0-002 question bank contains 108 questions in the Information Gathering and Vulnerability Scanning domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Gathering and Vulnerability Scanning domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included