Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Gathering and Vulnerability Scanning practice sets

PT0-002 Information Gathering and Vulnerability Scanning • Complete Question Bank

PT0-002 Information Gathering and Vulnerability Scanning — All Questions With Answers

Complete PT0-002 Information Gathering and Vulnerability Scanning question bank — all 0 questions with answers and detailed explanations.

103
Questions
Free
No signup
Certifications/PT0-002/Practice Test/Information Gathering and Vulnerability Scanning/All Questions
Question 1mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

Question 2mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

Question 3easymultiple choice
Read the full DNS explanation →

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

Question 4mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

Question 5hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

Question 6easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

Question 7mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using a vulnerability scanner on a web application and notices that many findings are false positives caused by the scanner sending oversized payloads that the application truncates or rejects. Which scanner configuration change would MOST effectively reduce false positives in this scenario?

Question 8easymultiple choice
Read the full DNS explanation →

During the reconnaissance phase, a penetration tester wants to identify subdomains of a target domain without making direct requests to the target's own DNS servers. Which technique would be BEST for this purpose?

Question 9hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, a vulnerability scanner reports a critical SQL injection vulnerability in a web application. However, manual testing shows that the parameter is not injectable due to proper parameterized queries. Which of the following is the MOST likely cause of this false positive?

Question 10mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?

Question 11easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to discover email addresses associated with a target domain (example.com) without sending any network packets to the target's systems. Which technique is BEST suited for this?

Question 12easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to perform a network scan that minimizes the chance of detection by an intrusion detection system (IDS). Which Nmap timing template is MOST appropriate?

Question 13mediummultiple choice
Read the full DNS explanation →

A penetration tester is conducting passive reconnaissance against a target domain. The tester wants to discover all subdomains associated with the domain without making any direct DNS queries to the target's authoritative servers. Which technique is BEST suited for this purpose?

Question 14mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to enumerate user accounts and SMB shares from a Windows machine without authenticating. Which tool is specifically designed for this purpose and is commonly used in Linux penetration testing distributions?

Question 15mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing reconnaissance on a target organization. The tester wants to discover the internal IP address scheme used by the company without making any direct connections to the company's network. Which technique is MOST effective for this purpose?

Question 16hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A vulnerability scanner reports a reflected XSS vulnerability in a web application. Manual testing confirms that the application HTML-encodes all user input in the response. Which scanner misconfiguration is MOST likely causing this false positive?

Question 17easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify the technologies and frameworks used by the target's web application without making any requests to the target's servers. Which resource is BEST suited for this task?

Question 18mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester receives an Nmap scan report showing that port 445/TCP is open on a target Windows host. The tester wants to determine if the host is vulnerable to EternalBlue (MS17-010) without triggering an alert. Which Nmap NSE script is most appropriate to use?

Question 19hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During passive reconnaissance, a penetration tester wants to compile a list of valid employee email addresses for a target company to be used in a future phishing campaign. Which technique is LEAST likely to be detected by the target or its security controls?

Question 20easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is tasked with discovering all publicly accessible Amazon S3 buckets that belong to a target company. Which technique is MOST effective for this purpose?

Question 21mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)

Question 22mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using Nmap to scan a target web server. The tester only wants to see which of the top 100 ports are open, but wants to minimize network traffic and time. Which Nmap command is most appropriate?

Question 23easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to discover subdomains of the target's domain without sending any packets to the target's network?

Question 24easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to quickly identify which of the top 100 common ports are open on a target system, while minimizing network traffic and scan time. Which Nmap command is most appropriate?

Question 25mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to passively gather information about a target's technology stack, including web server software and frameworks. Which resource is best suited for this task without sending any packets to the target?

Question 26mediummultiple choice
Review the full subnetting walkthrough →

A penetration tester is performing active reconnaissance on a target network. The tester wants to identify all live hosts in the 192.168.1.0/24 subnet and determine which ones have port 80 open. Which technique is most efficient for this task?

Question 27mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using a vulnerability scanner to assess a web application. The scanner reports a 'SQL Injection' finding with a high confidence level. However, manual verification of the same payload does not trigger the vulnerability in a browser. Which of the following is the most likely reason for this discrepancy?

Question 28easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to discover subdomains of a target domain without sending any packets directly to the target's network. Which resource is most effective for this purpose?

Question 29mediummultiple choice
Read the full DNS explanation →

A penetration tester is performing internal reconnaissance. The tester discovers that the internal DNS server allows recursive queries from the tester's machine. Which technique can the tester use to enumerate internal hosts and network ranges?

Question 30easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance to discover email addresses associated with a target domain. The tester wants to avoid sending any packets directly to the target's infrastructure. Which tool is most appropriate for this task?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A penetration tester runs a vulnerability scanner against a web server and receives a high-confidence alert that the server is vulnerable to Heartbleed (CVE-2014-0160). The tester manually verifies using an OpenSSL command and finds that the server is patched. Which of the following is the most likely cause of this false positive?

Question 32mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to identify hosts on a network that are running web servers on any TCP port, including non-standard ports. Which Nmap command is most efficient for this task?

Question 33hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester has compromised a Windows domain-joined workstation and needs to identify all domain controllers and their IP addresses without triggering detection mechanisms. Which technique is most likely to avoid raising alerts?

Question 34mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is analyzing the results of a vulnerability scan against a web application. The scanner reports a potential SQL injection vulnerability in a login form parameter. However, manual testing with the same payload does not produce any error messages or changes in behavior. Which of the following is the most likely reason for the false positive?

Question 35hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing internal reconnaissance on a Windows Active Directory environment. The tester has a low-privileged domain user account. Which of the following techniques is most likely to help identify all domain controllers and their IP addresses without generating excessive network traffic or alerts?

Question 36easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify all publicly accessible cloud storage buckets that might belong to the target without directly interacting with the target's infrastructure. Which of the following techniques would be most effective for this purpose?

Question 37hardmultiple choice
Study the full IPv6 explanation →

A penetration tester is performing internal reconnaissance on a network that uses IPv6. The tester wants to discover alive hosts and their IPv6 addresses without sending many packets. Which technique is most effective for this purpose?

Question 38hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting a vulnerability scan of a web application that uses a custom API framework. The scanner reports several potential SQL injection vulnerabilities, but manual testing confirms they are false positives. The tester suspects the scanner is misinterpreting input validation. Which of the following is the most likely reason for these false positives?

Question 39easymultiple choice
Read the full DNS explanation →

A penetration tester wants to perform DNS brute-force enumeration to discover subdomains of a target domain. Which tool is specifically designed for this purpose?

Question 40mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting an internal network scan and wants to minimize the chance of being detected by an intrusion detection system (IDS). Which TCP scan type is most likely to evade detection?

Question 41hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to identify internal IP address ranges used by the organization without interacting directly with their network. Which of the following techniques would be most effective for this purpose?

Question 42mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a reconnaissance phase, a penetration tester is using a tool to enumerate NetBIOS names on a target internal network. The tester issues the command 'nbtstat -A 192.168.1.100' on a Windows machine. What type of information is the tester most likely trying to obtain?

Question 43easymultiple choice
Read the full DNS explanation →

A penetration tester wants to discover all subdomains of a target domain without directly querying the target's DNS servers to avoid detection. Which technique is most appropriate?

Question 44mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During an internal penetration test, a tester is trying to identify live hosts on a network segment. The tester wants to avoid generating a high volume of traffic or alerts. Which scanning technique is most appropriate for this task?

Question 45mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance on a target organization using Google dorking. The tester wants to find PDF documents that may contain usernames and passwords. Which Google search query is most appropriate for this task?

Question 46hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to identify the web server software and version used by a target organization without sending any packets to the target's infrastructure. Which of the following techniques is most effective for this purpose?

Question 47easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to identify all publicly accessible Amazon S3 buckets that belong to a specific organization. Which technique is most effective for passive reconnaissance?

Question 48mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing internal reconnaissance from a compromised host and wants to map the local network without sending any packets. Which technique is most suitable?

Question 49mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing active reconnaissance on a target network. The tester sends TCP SYN packets to a range of ports on a target host. Only a few ports respond with SYN-ACK packets. What does this indicate?

Question 50easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to identify the operating system of a remote host without sending any traffic to the target network. Which of the following techniques is most effective for this purpose?

Question 51mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing a vulnerability scan on a target network. The tester uses Nmap with the default NSE scripts against a web server. The scan report shows several 'http-vuln-cve2017-5638' findings. What does this indicate?

Question 52hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is tasked with performing vulnerability scanning on a target organization that uses a web application firewall (WAF) and an intrusion prevention system (IPS). The tester wants to avoid being blocked while still gathering comprehensive data. Which scanning approach is most effective?

Question 53mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to identify all subdomains for a target domain using only public records. Which technique is most effective for this purpose?

Question 54mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using theHarvester tool to gather email addresses and subdomains for a target domain. Which source is theHarvester commonly configured to use for passive reconnaissance?

Question 55hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing a vulnerability scan on a web server that uses HTTPS. The tester wants to identify the server's SSL/TLS configuration weaknesses without overwhelming the server. Which Nmap command is most appropriate?

Question 56mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to gather information about the target's technology stack, including web server software and frameworks, without directly interacting with the target systems. Which technique is most effective?

Question 57mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using theHarvester tool to gather information about a target domain. The tester wants to collect email addresses and subdomains from public search engines and PGP key servers. Which source is theHarvester commonly configured to use for this passive reconnaissance?

Question 58mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester has been given access to a network tap on a client's internal network. The tester wants to perform initial reconnaissance by identifying all live hosts and their operating systems without sending any packets that could be detected. Which technique is most appropriate?

Question 59hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A vulnerability scanner reports an unauthenticated critical finding on an internal server. Manual testing shows the vulnerable package is present, but the vulnerable service is disabled and not reachable. How should the tester report this?

Question 60easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance on a target organization. Which of the following activities would be considered passive reconnaissance?

Question 61mediumdrag order
Read the full Information Gathering and Vulnerability Scanning explanation →

Drag and drop the steps to exploit a SQL injection vulnerability using sqlmap into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 62mediumdrag order
Read the full wireless explanation →

Drag and drop the steps to perform a wireless network audit using aircrack-ng into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 63mediummatching
Read the full Information Gathering and Vulnerability Scanning explanation →

Match each penetration testing tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and port enumeration

Exploit development and execution

Web application security testing

Password cracking

Network packet analysis

Question 64mediummatching
Read the full wireless explanation →

Match each wireless attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Rogue AP mimicking a legitimate one

Forcing clients to disconnect from AP

Brute-forcing the WPS PIN to recover passphrase

Exploiting WPA2 handshake to decrypt traffic

Sending unsolicited messages over Bluetooth

Question 65easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting information gathering on a target organization. The tester discovers a public code repository that contains configuration files with embedded credentials. Which of the following is the BEST next step?

Question 66easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing a port scan on a target network and receives no response to SYN packets sent to port 443. However, the service is known to be running. Which scanning technique should the tester use next to confirm the service?

Question 67hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a vulnerability scan of a web application, a tester receives an HTTP response with a '405 Method Not Allowed' error when trying to use a PUT request. What does this indicate about the web server's configuration?

Question 68mediummultiple choice
Review the full subnetting walkthrough →

A penetration tester is tasked with identifying live hosts on a large subnet without generating excessive traffic. Which of the following techniques is most appropriate for efficient host discovery?

Question 69easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A tester is using the following Nmap command: nmap -sC -sV -p 1-65535 target_ip. What is the primary purpose of the -sC option?

Question 70mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester finds that a web application is vulnerable to server-side template injection (SSTI). Which of the following payloads would be most effective to test for SSTI in an Express-based Node.js application using Handlebars?

Question 71mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing a vulnerability scan of a network and finds that one server is running an outdated version of OpenSSL. Which of the following is the most likely security implication of this finding?

Question 72easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Which of the following tools would a penetration tester most likely use to perform passive reconnaissance on a target domain?

Question 73hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A tester needs to identify all open ports on a target system behind a firewall that is blocking ICMP and dropping unsolicited SYN packets. Which of the following scanning techniques is most likely to succeed?

Question 74mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is analyzing the results of a vulnerability scan. Which of the following findings indicate that a vulnerability is likely exploitable? (Choose two.)

Question 75hardmulti select
Read the full DNS explanation →

A penetration tester is performing information gathering using DNS enumeration. Which of the following records can be queried to discover additional subdomains or hostnames? (Choose three.)

Question 76mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is planning to perform a vulnerability scan of an internal network. Which of the following should be considered before scanning? (Choose three.)

Question 77easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Refer to the exhibit. A penetration tester has performed a basic Nmap scan and found an open MySQL service. Which of the following should the tester do NEXT to further investigate the MySQL service?

Exhibit

Refer to the exhibit.

Nmap scan report for 192.168.1.10
Host is up (0.0012s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
MAC Address: 00:1A:2B:3C:4D:5E (Intel)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.18 - 2.6.22
Question 78mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Refer to the exhibit. A penetration tester is reviewing a web server error log. Based on the log, what vulnerability does the tester suspect?

Exhibit

Refer to the exhibit.

[Sun Mar 13 12:00:00.123456 2024] [php:notice] [pid 1234] [client 192.168.1.5:54321] PHP Notice:  Undefined variable: username in /var/www/html/login.php on line 32
[Sun Mar 13 12:00:01.234567 2024] [php:warning] [pid 1234] [client 192.168.1.5:54321] PHP Warning:  mysqli_connect(): (HY000/1045): Access denied for user 'test'@'localhost' (using password: YES) in /var/www/html/db.php on line 8
Question 79hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Refer to the exhibit. A penetration tester finds this configuration file during an assessment. Which of the following is the most critical security concern with this configuration?

Exhibit

Refer to the exhibit.

{
  "authenticators": {
    "LDAP": {
      "servername": "ldap.internal.com",
      "port": 389,
      "binddn": "cn=admin,dc=internal,dc=com",
      "bindpassword": "S3cur3#pass",
      "usessl": false
    }
  }
}
Question 80easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is tasked with performing passive reconnaissance against a client without triggering any alerts. Which of the following techniques would be MOST appropriate?

Question 81mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During an internal penetration test, a tester discovers that the client's network uses ARP poisoning to intercept traffic for security monitoring. The tester wants to enumerate live hosts without being detected by network monitoring tools. Which of the following is the BEST approach?

Question 82hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting vulnerability scanning on a web application that uses a Web Application Firewall (WAF). The scanner triggers a WAF block after several requests. Which of the following techniques would be MOST effective to continue scanning while evading the WAF?

Question 83easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Which of the following tools is primarily used for enumerating subdomains via search engine queries?

Question 84mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A tester is performing a vulnerability scan against a critical production server. The client requests minimal impact on system performance. Which scan type should the tester use?

Question 85hardmultiple choice
Open the full VLAN trunking answer →

During a penetration test, a tester identifies that the target's network uses Private VLANs to isolate hosts. Which technique can be used to bypass this isolation and perform ARP spoofing?

Question 86easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester needs to gather information about a target organization's employees and email addresses from public sources. Which passive reconnaissance tool is BEST suited for this task?

Question 87mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A tester conducts a vulnerability scan and receives a high number of false positives. Which of the following is the BEST way to reduce false positives in subsequent scans?

Question 88hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A PenTest team is planning to perform a physical social engineering engagement to gather information from a client's facility. Which of the following reconnaissance techniques would be LEAST likely to be detected?

Question 89mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing information gathering for a web application. Which of the following are passive information gathering techniques? (Select THREE).

Question 90easymulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester needs to perform initial reconnaissance on a target domain. Which of the following tools are specifically designed for domain enumeration? (Select TWO).

Question 91hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

During a vulnerability scan of a Linux server, the tester notices that the NMAP scan reports port 22 as filtered. Which of the following could be causing this result? (Select TWO).

Question 92mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Based on the Nmap output above, which of the following conclusions is MOST accurate regarding the target host?

Network Topology
[snip]Refer to the exhibit.Nmap scan report for 10.10.10.10Host is up (0.0012s latency).Not shown: 997 filtered portsPORT STATE SERVICE22/tcp open ssh80/tcp open http443/tcp open https8080/tcp filtered http-proxy
Question 93easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester receives the JSON output above from a vulnerability scanner. Which of the following actions should the tester take FIRST to validate this finding?

Exhibit

Refer to the exhibit.

{
  "vulnerability": "SQL Injection",
  "cvss_score": 9.8,
  "affected_endpoint": "/api/user?id=1",
  "request_method": "GET",
  "parameter": "id",
  "payload": "' OR '1'='1",
  "evidence": "Error: You have an error in your SQL syntax;"
}
Question 94hardmultiple choice
Read the full DNS explanation →

A penetration tester is conducting an external assessment against a client's web application hosted on an AWS EC2 instance behind an Application Load Balancer (ALB). The tester has performed passive reconnaissance and identified the public IP of the ALB, but the web application is only accessible via a specific domain name. During active scanning, the tester runs Nmap against the public IP and only sees port 443 open. The tester then performs a DNS Zone Transfer attempt against the authoritative name servers, which fails. While reviewing the web application, the tester notices that the application sets a cookie with the path '/admin'. The tester suspects there is an internal subnet used for backend services. Which of the following techniques would be MOST effective to discover internal hostnames or IP ranges?

Question 95mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting information gathering on a target company. The company has an internal Confluence wiki that is only accessible from within the corporate network. The tester wants to discover any externally accessible references to the wiki without actively interacting with the target's systems. Which of the following techniques would be MOST effective?

Question 96hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a vulnerability scan of a web application, the penetration tester notices that the scanner reports a critical SQL injection vulnerability in the login parameter. However, manual testing confirms that the input is properly sanitized and the vulnerability is a false positive. Which of the following actions should the tester take to ensure accurate vulnerability identification and avoid wasting time on false positives in future scans?

Question 97easymulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is gathering information using passive reconnaissance techniques. Which of the following are considered passive reconnaissance methods? (Choose two.)

Question 98easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is hired to perform a security assessment of a small business. The business has a single website hosted on a shared server, and the tester wants to identify the content management system (CMS) and plugins used without sending any traffic that might alert the hosting provider. The tester has no previous knowledge of the website. Which of the following techniques would be BEST for this task?

Question 99mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting a vulnerability scan of a network segment that contains several legacy servers. The tester uses a commercial vulnerability scanner with default settings. The scan completes and reports a critical vulnerability on a server running an outdated version of Apache with known remote code execution. However, the tester suspects this might be a false positive because the server is behind an application-layer firewall that blocks the specific exploit. Which of the following steps should the tester take to confirm the vulnerability?

Question 100hardmultiple choice
Read the full DNS explanation →

A penetration tester is performing information gathering on a large organization that uses split-DNS architecture, with internal and external DNS servers. The tester wants to discover internal hostnames without performing any active scans that might trigger detection controls. The tester has obtained the organization's domain name from public WHOIS records. Which of the following techniques would be MOST effective in discovering internal hostnames passively?

Question 101mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting an external assessment of a target organization and wants to gather information without sending any packets that might be logged by the target's network monitoring systems. Which TWO of the following methods are considered passive reconnaissance?

Question 102mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Refer to the exhibit. A penetration tester performed an Nmap scan of a target server and received the above output. The tester recalls that one of these services is associated with a well-known remote code execution vulnerability that can be exploited without authentication. Which service is most likely vulnerable?

Exhibit

Nmap scan report for 192.168.1.10
Host is up (0.0010s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds
Question 103hardmultiple choice
Open the full VLAN trunking answer →

You are a penetration tester hired to assess the security of a mid-sized company. The company's internal network consists of a web server running Apache 2.4.29 on Ubuntu 18.04, a database server with MySQL 5.7 on CentOS 7, and a file server running Samba 4.8 on a separate Linux distribution. You are given a standard domain user account with limited privileges. After initial reconnaissance, you discover that the web server has a SQL injection vulnerability in its login form. However, when you attempt to exploit it with SQLmap, the web application firewall (WAF) blocks all your payloads. You also notice that the file server is accessible via SMB with guest access enabled, allowing you to list shares without authentication. The database server is isolated on a separate VLAN and is not directly accessible from your workstation. Which of the following actions should you take NEXT to further your assessment?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PT0-002 Practice Test 1 — 10 Questions→PT0-002 Practice Test 2 — 10 Questions→PT0-002 Practice Test 3 — 10 Questions→PT0-002 Practice Test 4 — 10 Questions→PT0-002 Practice Test 5 — 10 Questions→PT0-002 Practice Exam 1 — 20 Questions→PT0-002 Practice Exam 2 — 20 Questions→PT0-002 Practice Exam 3 — 20 Questions→PT0-002 Practice Exam 4 — 20 Questions→Free PT0-002 Practice Test 1 — 30 Questions→Free PT0-002 Practice Test 2 — 30 Questions→Free PT0-002 Practice Test 3 — 30 Questions→PT0-002 Practice Questions 1 — 50 Questions→PT0-002 Practice Questions 2 — 50 Questions→PT0-002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Planning and ScopingInformation Gathering and Vulnerability ScanningAttacks and ExploitsReporting and CommunicationTools and Code Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Gathering and Vulnerability Scanning setsAll Information Gathering and Vulnerability Scanning questionsPT0-002 Practice Hub