Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Gathering and Vulnerability Scanning practice sets

PT0-002 Information Gathering and Vulnerability Scanning • Complete Question Bank

PT0-002 Information Gathering and Vulnerability Scanning — All Questions With Answers

Complete PT0-002 Information Gathering and Vulnerability Scanning question bank — all 0 questions with answers and detailed explanations.

108
Questions
Free
No signup
Certifications/PT0-002/Practice Test/Information Gathering and Vulnerability Scanning/All Questions
Question 1mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, you need to gather information about a target's email addresses and employee names without directly interacting with the target's systems. Which tool is most appropriate for this passive reconnaissance task?

Question 2hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

You are performing a vulnerability scan on a web application and notice that the scanner reports a high-severity SQL injection vulnerability. However, manual testing confirms that the input is properly sanitized. Which term best describes this situation?

Question 3easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Which Nmap scan type sends SYN packets to determine open ports without completing the TCP three-way handshake?

Question 4mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

You are conducting a penetration test and need to identify subdomains of a target domain using a passive approach that does not generate traffic to the target's servers. Which technique should you use?

Question 5hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, you want to discover API endpoints and hidden parameters in a web application. Which tool combination is most effective for this task?

Question 6easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Which tool is specifically designed for scanning WordPress websites to detect vulnerabilities, such as outdated plugins, themes, and weak passwords?

Question 7mediummultiple choice
Review the full subnetting walkthrough →

You are performing a network scan and need to identify live hosts on a subnet without triggering firewalls that block ICMP. Which technique should you use?

Question 8hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, you find a web application that uses JavaScript to make API calls. You want to discover hidden API endpoints and potential secrets (e.g., API keys) embedded in the client-side code. Which approach is most appropriate?

Question 9easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

In the context of OSINT, which resource would you use to find historical versions of a company's website that may reveal outdated information or hidden directories?

Question 10mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

You are performing a vulnerability scan on an internal network using an authenticated scanner. Which of the following is a primary benefit of authenticated scanning compared to unauthenticated scanning?

Question 11mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, you want to perform a stealthy port scan that minimizes the chance of being logged by the target. Which Nmap option should you use?

Question 12mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

You are tasked with identifying the technologies used by a web application (e.g., web server, frameworks, libraries) during the reconnaissance phase. Which tool would you use?

Question 13easymulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

You are conducting passive reconnaissance on a target organization. Which of the following are examples of passive reconnaissance techniques? (Select TWO.)

Question 14mediummulti select
Read the full network assurance explanation →

During a penetration test, you need to enumerate SNMP information from network devices. Which of the following tools or commands can be used for SNMP enumeration? (Select TWO.)

Question 15hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

You are performing reconnaissance on a target's web application. Which of the following techniques can be used to discover hidden directories and files? (Select THREE.)

Question 16mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools would be BEST suited to gather information about the organization's domain names, email addresses, and subdomains from publicly available sources without directly interacting with the target's systems?

Question 17easymultiple choice
Read the full DNS explanation →

During the information gathering phase, a penetration tester wants to discover subdomains of a target domain using DNS queries and potentially brute-forcing common subdomain names. Which of the following tools is specifically designed for subdomain enumeration and can perform both passive and active techniques?

Question 18mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting active reconnaissance on a target network and wants to perform a SYN scan to identify open ports without completing the full TCP handshake. Which Nmap flag should the tester use?

Question 19mediummultiple choice
Review the full subnetting walkthrough →

After gaining initial access to an internal network, a penetration tester wants to identify live hosts on a subnet without generating excessive traffic. Which Nmap command would be most appropriate for host discovery using ICMP echo requests and TCP SYN to port 80?

Question 20hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing web application reconnaissance and wants to discover API endpoints and hidden parameters that may not be linked from the main application. Which technique would be most effective for this purpose?

Question 21easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing a vulnerability scan on a web server using Nikto. After the scan, the tester notices several findings related to outdated software versions and missing security headers. What should the tester do to validate the findings and reduce false positives?

Question 22mediummultiple choice
Read the full DNS explanation →

During a penetration test, the tester wants to gather information about a target using publicly available DNS records, including mail servers, name servers, and possibly TXT records. Which type of DNS query would be most useful for obtaining a comprehensive list of these records?

Question 23mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using Shodan to identify internet-facing devices associated with a target organization. Which of the following is Shodan's primary function in the context of passive reconnaissance?

Question 24hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting a web application assessment and discovers that the target uses WordPress. The tester wants to identify installed plugins, themes, and potential vulnerabilities. Which of the following tools is best suited for this task?

Question 25easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During the information gathering phase, a penetration tester uses Google dorks to find exposed documents on a target's website. Which Google dork would be most appropriate to find PDF files containing sensitive information?

Question 26mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing service enumeration on a discovered host and wants to grab banners from open ports to identify the exact software and version running. Which of the following command-line tools would be most appropriate for this task?

Question 27hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using OpenVAS to perform an authenticated vulnerability scan of a Linux server. The tester has provided valid SSH credentials. Which of the following is a primary benefit of performing an authenticated scan over an unauthenticated scan?

Question 28mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance using OSINT techniques. Which TWO of the following are examples of passive OSINT sources?

Question 29mediummulti select
Review the full subnetting walkthrough →

A penetration tester is performing host discovery on a subnet. Which TWO of the following Nmap options can be used to discover live hosts?

Question 30hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is assessing a web application and wants to discover hidden directories, files, and parameters. Which THREE of the following tools are most appropriate for this task?

Question 31easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools is best suited for gathering information from public sources such as search engines, social media, and website scraping?

Question 32mediummultiple choice
Review the full subnetting walkthrough →

During a penetration test, you are asked to discover all live hosts on a subnet without generating excessive traffic or being too intrusive. Which Nmap command best achieves this goal?

Question 33hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester uses Shodan to find internet-facing devices belonging to a target company. Which of the following Shodan search filters would most effectively identify devices with a specific organization name?

Question 34mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

While performing web application reconnaissance, a tester wants to enumerate hidden directories and files on a web server. Which of the following tools is specifically designed for directory brute-forcing?

Question 35hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting active reconnaissance and wants to perform a SYN scan on a target network. During the scan, the tester notices that some ports are reported as filtered. What does a filtered port status typically indicate in Nmap?

Question 36easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

When performing vulnerability scanning, which of the following best describes a false positive?

Question 37mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using Nmap to identify the operating system of a target host. Which Nmap option should be used to enable OS detection?

Question 38hardmultiple choice
Read the full DNS explanation →

A tester is performing DNS enumeration on a domain and wants to attempt a zone transfer. Which DNS record type is primarily used for zone transfers?

Question 39mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a web application penetration test, the tester wants to identify the technologies used by the target website. Which of the following tools is best suited for technology fingerprinting?

Question 40easymultiple choice
Read the full network assurance explanation →

Which of the following is a common community string used in SNMP enumeration?

Question 41mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is evaluating the security of a WordPress site. Which tool is specifically designed to scan WordPress installations for vulnerabilities?

Question 42hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester runs an Nmap scan with the -sV option and gets a result showing 'Apache httpd 2.4.49'. This version is known to be vulnerable to a path traversal attack. Which of the following best describes the next step the tester should take?

Question 43mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance on a target organization. Which TWO of the following sources can provide information about the organization's historical web content? (Select TWO.)

Question 44hardmulti select
Read the full network assurance explanation →

A penetration tester is conducting active reconnaissance on a target network and wants to enumerate SNMP information. Which TWO of the following tools or commands can be used to query SNMP data from network devices? (Select TWO.)

Question 45mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

During a web application penetration test, the tester wants to discover hidden API endpoints. Which THREE of the following techniques can be used to achieve this? (Select THREE.)

Question 46easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following tools is specifically designed for gathering OSINT by extracting email addresses, subdomains, and employee names from public sources?

Question 47easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester wants to identify live hosts on a network without performing a full port scan. Which Nmap command is most appropriate for this task?

Question 48mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing active reconnaissance on a web application and wants to discover hidden directories and files. Which tool would be most effective for brute-forcing directory names based on a wordlist?

Question 49mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A tester is scanning a target network using Nmap. The client wants minimal disruption and asks to avoid completing TCP three-way handshakes. Which scan type should the tester use?

Question 50mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

While performing vulnerability scanning, a penetration tester runs a Nessus scan against a web server. The report shows a 'critical' finding, but after manual verification, the tester determines the service is not actually vulnerable. This scenario best describes:

Question 51mediummultiple choice
Read the full DNS explanation →

A penetration tester is performing DNS reconnaissance and wants to enumerate all subdomains of a target domain by querying DNS servers in an attempt to transfer the entire zone file. Which technique is the tester using?

Question 52mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A tester wants to identify the technologies used by a web application before conducting a deeper assessment. Which tool would be most appropriate for passive technology fingerprinting?

Question 53mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester wants to discover publicly exposed IoT devices related to the target organization. Which OSINT tool is specifically designed for searching devices connected to the internet?

Question 54hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is analyzing a web application and wants to discover hidden API endpoints by brute-forcing common paths. Which tool is best suited for this task?

Question 55hardmultiple choice
Review the full subnetting walkthrough →

A penetration tester is performing internal network scanning and wants to identify live hosts on a local subnet without sending IP packets. Which method is most effective in a switched Ethernet environment?

Question 56hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is reviewing SSL/TLS certificate information for a target domain and wants to discover additional subdomains that share the same certificate. Which resource is best for this purpose?

Question 57easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Which of the following tools would best assist a penetration tester in identifying known vulnerabilities in a WordPress installation?

Question 58mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance and wants to gather information about a target organization's employees, email addresses, and internal structure. Which TWO tools are best suited for this purpose? (Select TWO.)

Question 59hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing active reconnaissance on a web application and needs to discover parameters that the application accepts. Which TWO tools are most commonly used for parameter discovery? (Select TWO.)

Question 60mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is preparing to perform an authenticated vulnerability scan of a network. Which THREE of the following are important considerations before starting the scan? (Select THREE.)

Question 61easymultiple choice
Read the full DNS explanation →

A penetration tester is performing passive reconnaissance and wants to identify subdomains associated with a target domain without directly querying the target's DNS servers. Which tool is specifically designed for this purpose?

Question 62mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, a tester discovers a web application that uses JavaScript to load API endpoints dynamically. Which technique would be most effective for discovering hidden API endpoints?

Question 63hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is tasked with performing an authenticated vulnerability scan of a Windows network. The tester has domain admin credentials. Which tool is most appropriate for this task?

Question 64mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester runs a SYN scan against a target and receives SYN-ACK responses from several ports. The tester then runs version detection on those ports. What is the primary purpose of version detection?

Question 65easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using Google dorks to find sensitive information about a target organization. Which search operator would help the tester find PDF files containing the word 'confidential' on the target's website?

Question 66mediummultiple choice
Review the full subnetting walkthrough →

During a penetration test, a tester wants to discover all live hosts on a subnet without performing a full port scan. Which Nmap command is most appropriate for this purpose?

Question 67hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is assessing a web application and wants to identify hidden parameters that the application accepts. Which tool is specifically designed for parameter discovery?

Question 68mediummultiple choice
Read the full network assurance explanation →

A penetration tester is performing SNMP enumeration on a target network. Which command would likely be used to extract information from a device with the community string 'public'?

Question 69easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

Which of the following tools is most commonly used for passive reconnaissance by querying certificate transparency logs to discover subdomains?

Question 70mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to perform a directory brute-force attack against a web server to discover hidden files and directories. Which tool is best suited for this task?

Question 71hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, a tester uses the Wayback Machine to review historical versions of the target's website. What is the primary benefit of this activity?

Question 72mediummultiple choice
Review the full routing breakdown →

A penetration tester is using Nmap to perform an aggressive scan of a target. Which command combines OS detection, version detection, script scanning, and traceroute?

Question 73mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing active reconnaissance on a target web application. Which TWO tools are specifically designed for directory and file enumeration? (Select TWO.)

Question 74hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting a vulnerability assessment and wants to minimize false positives. Which THREE actions should the tester take? (Select THREE.)

Question 75mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing initial reconnaissance on a target domain. Which THREE sources can provide historical data about the target? (Select THREE.)

Question 76easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester wants to gather information about the target organization's domain registration and contact details without sending any traffic to the target. Which OSINT source should the tester use first?

Question 77mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to discover subdomains and associated email addresses without directly interacting with the target's infrastructure. Which combination of tools and sources would be most effective for this task?

Question 78mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester performs a SYN scan with Nmap on a target network. The results show that port 443 is open on a web server. The tester then runs a service version detection scan and discovers the server is running Apache 2.4.41. Which Nmap flags were used in sequence?

Question 79mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using Nmap to perform host discovery on a target network 192.168.1.0/24. The tester wants to identify live hosts without scanning ports. Which Nmap command should be used?

Question 80hardmultiple choice
Read the full network assurance explanation →

A penetration tester is performing active reconnaissance on a target network and wants to enumerate SNMP devices to gather system information. The tester uses snmpwalk with a common community string. Which community string is most likely to provide read-write access if misconfigured?

Question 81easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting a vulnerability scan on a web server using Nikto. The scan report lists several findings, including a directory listing vulnerability and outdated server headers. Which type of scanner is Nikto?

Question 82mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a web application penetration test, the tester wants to discover hidden directories and files on the target web server. Which tool is best suited for this task, and what technique does it use?

Question 83hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is analyzing the output of a Nessus vulnerability scan and notices a critical vulnerability reported against a web server that is actually a false positive due to outdated plugin data. What is the best course of action for the tester?

Question 84easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to query Certificate Transparency logs to find all SSL/TLS certificates issued for a target domain, which may reveal subdomains. Which tool or website is specifically designed for this purpose?

Question 85mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance and wants to find historical versions of the target website, including old pages that may contain sensitive information. Which resource should the tester use?

Question 86hardmultiple choice
Read the full DNS explanation →

During a penetration test, the tester runs a DNS zone transfer attempt against a target domain. The zone transfer fails. What is the most likely reason?

Question 87mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is using theHarvester to gather email addresses associated with a target domain. The tool returns several email addresses. What is the primary limitation of using theHarvester for this purpose?

Question 88hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing active reconnaissance on a target network and wants to use Nmap to identify operating systems and run default scripts against discovered services. Which two Nmap options should the tester include? (Choose TWO.)

Question 89mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting a web application reconnaissance and wants to discover API endpoints and hidden parameters. Which three tools are most appropriate for this task? (Choose THREE.)

Question 90easymulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to perform passive reconnaissance on a target organization. Which two activities are considered passive reconnaissance? (Choose TWO.)

Question 91easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools would be BEST for discovering subdomains and email addresses associated with the target domain without sending any packets to the target?

Question 92mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester discovers that the target web application uses a content delivery network (CDN) that hides the origin server's IP address. Which technique would BEST help identify the true IP address of the backend server?

Question 93mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is tasked with performing active reconnaissance on an internal network. The tester wants to identify live hosts and their open ports efficiently while minimizing noise. Which Nmap scan type should be used first to quickly discover which hosts are online?

Question 94hardmultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester has discovered a web application that appears to be built with WordPress. The tester wants to identify installed plugins, themes, and potential vulnerabilities without triggering intrusion detection systems. Which tool is BEST suited for this task?

Question 95mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

While performing vulnerability scanning with Nessus, a penetration tester notices that several high-severity vulnerabilities are reported for a web server, but manual verification shows the server is not vulnerable. What is the MOST likely cause of this discrepancy?

Question 96easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester wants to use Google dorking to find publicly accessible documents containing sensitive information on a target domain 'example.com'. Which Google dork would be MOST appropriate to locate PDF files with the word 'confidential'?

Question 97mediummultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

During a penetration test, the tester is using Gobuster to enumerate directories on a web server. Which flag would the tester use to specify a list of file extensions to append to each word in the wordlist for discovering files like 'admin.php' or 'config.bak'?

Question 98hardmultiple choice
Read the full network assurance explanation →

A penetration tester is performing a security assessment of a network that uses SNMP. The tester successfully connects to a device using the community string 'public'. Which tool would the tester MOST likely use to enumerate the entire Management Information Base (MIB) tree to extract system information, running processes, and network interfaces?

Question 99easymultiple choice
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance and wants to find historical snapshots of a target website to identify past vulnerabilities or hidden endpoints. Which online service should the tester use?

Question 100mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing active reconnaissance on a web application and wants to discover hidden API endpoints. Which TWO tools are BEST suited for this task? (Select TWO.)

Question 101mediummulti select
Read the full DNS explanation →

A penetration tester is tasked with performing a DNS enumeration of a target domain to discover subdomains. Which THREE tools are commonly used for subdomain bruteforcing? (Select THREE.)

Question 102hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is analyzing a web application's JavaScript files for hardcoded secrets and API endpoints. Which THREE techniques or tools are MOST effective for this purpose? (Select THREE.)

Question 103mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting a vulnerability scan of a Linux server using OpenVAS. Which TWO scan configurations would provide the MOST comprehensive results? (Select TWO.)

Question 104hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

During a web application penetration test, the tester wants to discover hidden parameters that the application accepts. Which THREE tools are BEST suited for parameter bruteforcing? (Select THREE.)

Question 105mediummulti select
Review the full subnetting walkthrough →

A penetration tester is performing reconnaissance on a target network and wants to identify all live hosts without sending many packets. Which TWO techniques are MOST effective for host discovery in a local subnet? (Select TWO.)

Question 106mediummulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is conducting passive reconnaissance against a target organization. Which TWO of the following techniques would be most appropriate for gathering information about the organization's infrastructure and employees without directly interacting with the target's systems?

Question 107hardmulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

During an active reconnaissance phase, a penetration tester runs Nmap against a target and obtains the following results: Host is up, ports 22, 80, and 443 are open. The tester then runs a vulnerability scan using Nessus with unauthenticated credentials. Which THREE of the following issues should the tester be most concerned about regarding the accuracy and completeness of the Nessus scan results?

Question 108easymulti select
Read the full Information Gathering and Vulnerability Scanning explanation →

A penetration tester is performing web application reconnaissance. The tester wants to discover hidden directories and files, identify the technologies used, and find API endpoints. Which THREE of the following tools are best suited for these tasks?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PT0-002 Practice Test 1 — 25 Questions→PT0-002 Practice Test 2 — 25 Questions→PT0-002 Practice Test 3 — 25 Questions→PT0-002 Practice Test 4 — 25 Questions→PT0-002 Practice Test 5 — 25 Questions→PT0-002 Practice Exam 1 — 20 Questions→PT0-002 Practice Exam 2 — 20 Questions→PT0-002 Practice Exam 3 — 20 Questions→PT0-002 Practice Exam 4 — 20 Questions→Free PT0-002 Practice Test 1 — 30 Questions→Free PT0-002 Practice Test 2 — 30 Questions→Free PT0-002 Practice Test 3 — 30 Questions→PT0-002 Practice Questions 1 — 50 Questions→PT0-002 Practice Questions 2 — 50 Questions→PT0-002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Gathering and Vulnerability ScanningPlanning and ScopingReporting and CommunicationAttacks and ExploitsTools and Code Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Gathering and Vulnerability Scanning setsAll Information Gathering and Vulnerability Scanning questionsPT0-002 Practice Hub