Question 137 of 509
Information Gathering and Vulnerability ScanningmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is passive network sniffing to capture broadcast traffic. This approach is correct because passive host discovery via sniffing involves monitoring network traffic without transmitting any packets, allowing a tester to enumerate live hosts by analyzing broadcast frames like ARP requests or DHCP discoveries that hosts generate naturally. On the CompTIA PenTest+ PT0-002 exam, this question tests your understanding of stealthy reconnaissance techniques in monitored environments, where active scans (such as ARP pings, SYN scans, or UDP probes) would trigger alerts from security tools like intrusion detection systems. A common trap is assuming any host discovery must generate traffic, but passive sniffing leverages existing chatter to avoid detection entirely. Memory tip: think “listen, don’t speak” for passive discovery—if you’re not sending packets, you’re not making noise.

PT0-002 Practice Question: Information Gathering and Vulnerability Scanning

This PT0-002 practice question tests your understanding of information gathering and vulnerability scanning. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

During an internal penetration test, a tester discovers that the client's network uses ARP poisoning to intercept traffic for security monitoring. The tester wants to enumerate live hosts without being detected by network monitoring tools. Which of the following is the BEST approach?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use passive network sniffing to capture broadcast traffic

Option D is correct because passive network sniffing captures broadcast traffic without generating any packets, avoiding detection. Option A generates ARP traffic; Option B generates SYN packets; Option C generates UDP packets.

Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use passive network sniffing to capture broadcast traffic

    Why this is correct

    Passive sniffing collects broadcast packets like ARP and DHCP without sending anything.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    CIDR notation defines the prefix length.

  • Perform a UDP scan

    Why it's wrong here

    UDP scanning is active and can be noisy.

  • Perform a SYN scan with decoys

    Why it's wrong here

    SYN scans are active and decoys may not fully evade monitoring.

  • Use ARP requests to discover hosts

    Why it's wrong here

    ARP requests are active and may trigger alarms.

Common exam traps

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Detailed technical explanation

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Key takeaway

Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Real-world example

How this comes up in practice

A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.

What to study next

Got this wrong? Here's your next step.

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related PT0-002 subnetting questions on CIDR, address ranges, and subnet selection.

Related practice questions

Related PT0-002 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PT0-002 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PT0-002 question test?

Information Gathering and Vulnerability Scanning — This question tests Information Gathering and Vulnerability Scanning — CIDR notation defines the prefix length..

What is the correct answer to this question?

The correct answer is: Use passive network sniffing to capture broadcast traffic — Option D is correct because passive network sniffing captures broadcast traffic without generating any packets, avoiding detection. Option A generates ARP traffic; Option B generates SYN packets; Option C generates UDP packets.

What should I do if I get this PT0-002 question wrong?

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related PT0-002 subnetting questions on CIDR, address ranges, and subnet selection.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

CIDR notation defines the prefix length.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on PT0-002

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A penetration tester is performing internal reconnaissance from a compromised host and wants to map the local network without sending any packets. Which technique is most suitable?

medium
  • A.Use tcpdump to passively capture and analyze broadcast traffic.
  • B.Send ARP requests to all possible IP addresses using a ping sweep.
  • C.Query the local DNS server for all host records in the domain.
  • D.Use traceroute to discover network paths.

Why A: Option A is correct because tcpdump can passively capture broadcast traffic (e.g., ARP, NetBIOS, mDNS) without sending any packets. This allows the tester to map active hosts and services on the local network by listening to existing network chatter, fulfilling the 'no packets sent' constraint.

Last reviewed: Jun 23, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PT0-002 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PT0-002 exam.