Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›PT0-002›Objectives›Information Gathering and Vulnerability Scanning
Objective 2.0

Information Gathering and Vulnerability Scanning

PT0-002 Practice Questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Full Practice Test →All Objectives

What this objective tests

PT0-002 Information Gathering and Vulnerability Scanning — Key Topics

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

  • Threat actor types and motivations (APT, script kiddie, insider, nation-state).
  • Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.
  • Vulnerability scanning vs penetration testing vs risk assessment.
  • Mitigation strategies mapped to specific attack types.

Common exam traps

Where candidates lose marks on Information Gathering and Vulnerability Scanning

  • ⚠Social engineering targets people, not systems — the attack vector matters.
  • ⚠A vulnerability scanner finds weaknesses; it does not exploit them.
  • ⚠Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • ⚠Zero-day vulnerabilities have no patch available at the time of discovery.

PT0-002 Information Gathering and Vulnerability Scanning — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

Question 3mediummultiple choice
Full question →

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

Question 4easymultiple choice
Read the full DNS explanation →

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

Question 5mediummultiple choice
Full question →

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

Question 6hardmultiple choice
Full question →

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

Question 7easymultiple choice
Full question →

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

Question 8mediummultiple choice
Full question →

A penetration tester is using a vulnerability scanner on a web application and notices that many findings are false positives caused by the scanner sending oversized payloads that the application truncates or rejects. Which scanner configuration change would MOST effectively reduce false positives in this scenario?

Question 9easymultiple choice
Read the full DNS explanation →

During the reconnaissance phase, a penetration tester wants to identify subdomains of a target domain without making direct requests to the target's own DNS servers. Which technique would be BEST for this purpose?

Question 10hardmultiple choice
Full question →

During a penetration test, a vulnerability scanner reports a critical SQL injection vulnerability in a web application. However, manual testing shows that the parameter is not injectable due to proper parameterized queries. Which of the following is the MOST likely cause of this false positive?

Question 11mediummultiple choice
Full question →

During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?

Question 12easymultiple choice
Full question →

A penetration tester wants to discover email addresses associated with a target domain (example.com) without sending any network packets to the target's systems. Which technique is BEST suited for this?

Question 13easymultiple choice
Full question →

A penetration tester wants to perform a network scan that minimizes the chance of detection by an intrusion detection system (IDS). Which Nmap timing template is MOST appropriate?

Question 14mediummultiple choice
Read the full DNS explanation →

A penetration tester is conducting passive reconnaissance against a target domain. The tester wants to discover all subdomains associated with the domain without making any direct DNS queries to the target's authoritative servers. Which technique is BEST suited for this purpose?

Question 15mediummultiple choice
Full question →

A penetration tester wants to enumerate user accounts and SMB shares from a Windows machine without authenticating. Which tool is specifically designed for this purpose and is commonly used in Linux penetration testing distributions?

Question 16mediummultiple choice
Full question →

A penetration tester is performing reconnaissance on a target organization. The tester wants to discover the internal IP address scheme used by the company without making any direct connections to the company's network. Which technique is MOST effective for this purpose?

Question 17hardmultiple choice
Full question →

A vulnerability scanner reports a reflected XSS vulnerability in a web application. Manual testing confirms that the application HTML-encodes all user input in the response. Which scanner misconfiguration is MOST likely causing this false positive?

Question 18easymultiple choice
Full question →

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify the technologies and frameworks used by the target's web application without making any requests to the target's servers. Which resource is BEST suited for this task?

Question 19mediummultiple choice
Full question →

A penetration tester receives an Nmap scan report showing that port 445/TCP is open on a target Windows host. The tester wants to determine if the host is vulnerable to EternalBlue (MS17-010) without triggering an alert. Which Nmap NSE script is most appropriate to use?

Question 20hardmultiple choice
Full question →

During passive reconnaissance, a penetration tester wants to compile a list of valid employee email addresses for a target company to be used in a future phishing campaign. Which technique is LEAST likely to be detected by the target or its security controls?

Question 21easymultiple choice
Full question →

A penetration tester is tasked with discovering all publicly accessible Amazon S3 buckets that belong to a target company. Which technique is MOST effective for this purpose?

Question 22mediummulti select
Full question →

A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)

Question 23mediummultiple choice
Full question →

A penetration tester is using Nmap to scan a target web server. The tester only wants to see which of the top 100 ports are open, but wants to minimize network traffic and time. Which Nmap command is most appropriate?

Question 24easymultiple choice
Full question →

A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to discover subdomains of the target's domain without sending any packets to the target's network?

Question 25easymultiple choice
Full question →

A penetration tester wants to quickly identify which of the top 100 common ports are open on a target system, while minimizing network traffic and scan time. Which Nmap command is most appropriate?

Question 26mediummultiple choice
Full question →

A penetration tester wants to passively gather information about a target's technology stack, including web server software and frameworks. Which resource is best suited for this task without sending any packets to the target?

Question 27mediummultiple choice
Review the full subnetting walkthrough →

A penetration tester is performing active reconnaissance on a target network. The tester wants to identify all live hosts in the 192.168.1.0/24 subnet and determine which ones have port 80 open. Which technique is most efficient for this task?

Question 28mediummultiple choice
Full question →

A penetration tester is using a vulnerability scanner to assess a web application. The scanner reports a 'SQL Injection' finding with a high confidence level. However, manual verification of the same payload does not trigger the vulnerability in a browser. Which of the following is the most likely reason for this discrepancy?

Question 29easymultiple choice
Full question →

A penetration tester wants to discover subdomains of a target domain without sending any packets directly to the target's network. Which resource is most effective for this purpose?

Question 30mediummultiple choice
Read the full DNS explanation →

A penetration tester is performing internal reconnaissance. The tester discovers that the internal DNS server allows recursive queries from the tester's machine. Which technique can the tester use to enumerate internal hosts and network ranges?

Question 31easymultiple choice
Full question →

A penetration tester is performing passive reconnaissance to discover email addresses associated with a target domain. The tester wants to avoid sending any packets directly to the target's infrastructure. Which tool is most appropriate for this task?

More Information Gathering and Vulnerability Scanning questions available in the full practice test.

Continue Practising →
←

Previous objective

Planning and Scoping

Next objective

Attacks and Exploits

→

All PT0-002 Objectives

  • 1.Planning and Scoping
  • 2.Information Gathering and Vulnerability Scanning
  • 3.Attacks and Exploits
  • 4.Reporting and Communication
  • 5.Tools and Code Analysis