CCNA Information Gathering And Vulnerability Scanning Questions

75 of 103 questions · Page 1/2 · Information Gathering And Vulnerability Scanning topic · Answers revealed

1
MCQhard

During a penetration test, a vulnerability scanner reports a critical SQL injection vulnerability in a web application. However, manual testing shows that the parameter is not injectable due to proper parameterized queries. Which of the following is the MOST likely cause of this false positive?

A.The scanner used a payload that caused a different error unrelated to SQL injection
B.The scanner detected a stored XSS instead
C.The scanner matched a generic error message that is not specific to SQL injection
D.The scanner tested a different parameter than what was reported
AnswerC

Scanners often use keyword matching and will flag any page that returns a database error string, even if the vulnerability does not exist.

Why this answer

A vulnerability scanner often relies on pattern matching in HTTP responses to flag SQL injection. If the application returns a generic error message (e.g., 'An error occurred') after sending a malicious payload, the scanner may incorrectly classify it as SQL injection. However, because the application uses parameterized queries, the payload is safely handled, and the error is unrelated to SQL syntax — making this a classic false positive caused by generic error message matching.

Exam trap

The trap here is that candidates assume a scanner's SQL injection flag must be caused by an actual SQL error, when in fact scanners often rely on generic error message patterns that can be triggered by any application exception.

How to eliminate wrong answers

Option A is wrong because a payload causing a different error unrelated to SQL injection would still require the scanner to misinterpret that error as SQL injection, which is essentially the same mechanism as matching a generic error message; the core issue is the scanner's inability to distinguish error types, not the error's origin. Option B is wrong because stored XSS would manifest as injected script execution in stored content, not as an SQL injection flag from a vulnerability scanner; the scanner would need to detect script reflection or execution, not an SQL error pattern.

2
MCQmedium

A penetration tester receives an Nmap scan report showing that port 445/TCP is open on a target Windows host. The tester wants to determine if the host is vulnerable to EternalBlue (MS17-010) without triggering an alert. Which Nmap NSE script is most appropriate to use?

A.smb-vuln-ms17-010.nse
B.smb-enum-shares.nse
C.smb-os-discovery.nse
D.smb-enum-users.nse
AnswerA

This script sends probes to test for the MS17-010 vulnerability; it is the direct tool for identifying EternalBlue.

Why this answer

The smb-vuln-ms17-010.nse script is specifically designed to check for the EternalBlue vulnerability (MS17-010) by sending crafted SMB transactions to trigger a known response pattern, without exploiting the vulnerability itself. This makes it ideal for stealthy detection because it does not execute the actual exploit code that would cause a crash or generate an alert in a properly monitored environment.

Exam trap

The trap here is that candidates may confuse general SMB enumeration scripts (like smb-enum-shares or smb-os-discovery) with vulnerability-specific scripts, assuming any SMB script can detect EternalBlue, when only the dedicated ms17-010 script performs the necessary non-exploitative probe.

How to eliminate wrong answers

Option B (smb-enum-shares.nse) is wrong because it enumerates shared folders and their permissions, not vulnerability detection; it cannot determine if the host is vulnerable to EternalBlue. Option C (smb-os-discovery.nse) is wrong because it attempts to retrieve the Windows operating system version via SMB, which may provide context but does not test for the specific MS17-010 vulnerability.

3
MCQhard

A penetration tester is conducting a vulnerability scan of a web application that uses a custom API framework. The scanner reports several potential SQL injection vulnerabilities, but manual testing confirms they are false positives. The tester suspects the scanner is misinterpreting input validation. Which of the following is the most likely reason for these false positives?

A.The scanner used a payload that was blocked by a Web Application Firewall (WAF) before reaching the application
B.The application reflects the injected payload in error messages or response content, causing the scanner to think the injection succeeded
C.The scanner used outdated signatures that do not match the custom API's input validation logic
D.The application returns a generic 'Invalid input' message for all types of invalid input, confusing the scanner
AnswerB

Many scanners check if the payload appears in the response (e.g., error messages containing SQL syntax). If the application echoes back the input without executing it, the scanner may misinterpret this as a successful injection.

Why this answer

Option B is correct because the scanner likely detected the injected payload reflected in the application's response (e.g., in an error message or echoed input), which it interpreted as successful SQL execution. In custom API frameworks, input validation may reject the payload but still reflect it back in the response, causing the scanner to flag a false positive. Manual testing confirms the injection fails, so the reflection is merely a side effect of the API's error handling, not a sign of database interaction.

Exam trap

The trap here is that candidates confuse 'reflected input' (which causes false positives) with 'stored input' or actual SQL error messages, assuming any reflection indicates a vulnerability, when in fact the scanner's heuristic is flawed for custom APIs that echo back sanitized input.

How to eliminate wrong answers

Option A is wrong because a WAF blocking the payload would typically result in a different HTTP response (e.g., 403 Forbidden or a custom block page), not a false positive; the scanner would likely report the request as blocked or fail to get a response, not misinterpret a reflection. Option C is wrong because outdated signatures would more likely cause missed vulnerabilities (false negatives) rather than false positives; the issue here is the scanner's detection logic, not signature age. Option D is wrong because a generic 'Invalid input' message would actually reduce false positives, as the scanner would not see a reflection of its payload; the problem is the opposite—the API reflects the payload, which the scanner misinterprets as success.

4
MCQhard

During a vulnerability scan of a web application, a tester receives an HTTP response with a '405 Method Not Allowed' error when trying to use a PUT request. What does this indicate about the web server's configuration?

A.The server blocks the PUT method for that specific URI.
B.The PUT method is allowed but the resource does not exist.
C.The server does not support the PUT method.
D.The request was malformed and rejected.
AnswerA

405 precisely means the method is not allowed for the requested resource.

Why this answer

A 405 Method Not Allowed error indicates that the server recognized the PUT method as valid but has explicitly disallowed it for the requested URI. This is a server-level access control configuration, often enforced via web server directives (e.g., Apache's `<LimitExcept>` or IIS's request filtering) or application-level routing rules. The tester's PUT request reached the server and was processed, but the server's configuration prevented it from being fulfilled for that specific endpoint.

Exam trap

The trap here is that candidates often confuse a 405 Method Not Allowed with a 501 Not Implemented, mistakenly thinking the server lacks PUT support entirely, when in fact the server supports PUT but has been configured to deny it for that specific URI.

How to eliminate wrong answers

Option B is wrong because a 405 error is not returned when a resource does not exist; that scenario would typically produce a 404 Not Found, regardless of the HTTP method used. Option C is wrong because if the server did not support the PUT method at all, it would likely return a 501 Not Implemented error, not a 405. Option D is wrong because a malformed request would result in a 400 Bad Request error, not a 405, which is specifically about the method being disallowed for the target resource.

5
MCQhard

A penetration tester is performing information gathering on a large organization that uses split-DNS architecture, with internal and external DNS servers. The tester wants to discover internal hostnames without performing any active scans that might trigger detection controls. The tester has obtained the organization's domain name from public WHOIS records. Which of the following techniques would be MOST effective in discovering internal hostnames passively?

A.Run a DNS brute force attack using a common subdomain wordlist
B.Use search engines with site:domain.com to find cached pages with internal references
C.Query the organization's TLS certificate transparency logs for subdomains
D.Perform a DNS zone transfer attempt from the external DNS server
AnswerC

CT logs provide a passive source of subdomain information.

Why this answer

Option C is correct because certificate transparency logs often list all subdomains with publicly trusted SSL certificates, including internal ones. Option A (zone transfer) is active and likely to be blocked. Option B (search engines) may find some hostnames but not comprehensive.

Option D (DNS brute force) is active and noisy.

6
Drag & Dropmedium

Drag and drop the steps to perform a wireless network audit using aircrack-ng into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Wireless auditing requires monitor mode, packet capture, handshake capture, cracking, and verification.

7
MCQeasy

A penetration tester is hired to perform a security assessment of a small business. The business has a single website hosted on a shared server, and the tester wants to identify the content management system (CMS) and plugins used without sending any traffic that might alert the hosting provider. The tester has no previous knowledge of the website. Which of the following techniques would be BEST for this task?

A.Perform a full TCP port scan with nmap on the server's IP
B.Use the Wayback Machine to view cached historical pages
C.Use the 'view page source' feature after browsing the site normally
D.Submit the website URL to a vulnerability scanner like OpenVAS
AnswerB

Wayback Machine archives are passive; no traffic is sent to the target.

Why this answer

Option A is correct because the Wayback Machine provides historical snapshots of the website without sending any current traffic. Option B (full port scan) is active and likely to be detected. Option C (vulnerability scanner) actively probes the server.

Option D (view page source) requires making an HTTP request, which is active traffic.

8
MCQhard

A penetration tester is performing internal reconnaissance on a network that uses IPv6. The tester wants to discover alive hosts and their IPv6 addresses without sending many packets. Which technique is most effective for this purpose?

A.Perform a full TCP SYN scan on the entire /64 subnet using Nmap with IPv6 addressing
B.Ping the IPv6 all-nodes multicast address (ff02::1) and analyze the responses to discover active hosts
C.Request the DHCPv6 server log from the network administrator to obtain a list of assigned IPv6 addresses
D.Use the `ip neighbor` command on the tester's machine to view the IPv6 neighbor cache after generating traffic
AnswerB

Sending an ICMPv6 echo request to ff02::1 will trigger responses from all hosts that respond to multicast pings, quickly revealing active IPv6 addresses without scanning the entire subnet.

Why this answer

Option B is correct because sending a ping to the IPv6 all-nodes multicast address (ff02::1) triggers a response from all active hosts on the local link that have IPv6 enabled, allowing the tester to discover alive hosts and their IPv6 addresses with minimal packets. This technique leverages the inherent multicast behavior of IPv6, where hosts join the all-nodes multicast group by default, making it highly efficient for reconnaissance without scanning each address individually.

Exam trap

The trap here is that candidates may overlook the efficiency of multicast-based discovery and instead choose a brute-force scan (Option A), not realizing that IPv6 subnets are far too large for exhaustive scanning, or they may mistakenly think DHCPv6 logs (Option C) are always available or reliable in IPv6 environments where SLAAC is common.

How to eliminate wrong answers

Option A is wrong because performing a full TCP SYN scan on an entire /64 subnet (2^64 addresses) is impractical and would generate an enormous number of packets, defeating the goal of discovering hosts without sending many packets; it is also inefficient and likely to be detected or blocked. Option C is wrong because requesting the DHCPv6 server log from the network administrator relies on human cooperation and may not be feasible during a penetration test, and it does not involve the tester actively discovering hosts; additionally, many IPv6 networks use stateless address autoconfiguration (SLAAC) rather than DHCPv6, so the log may not contain all active addresses.

9
MCQeasy

A penetration tester is tasked with discovering all publicly accessible Amazon S3 buckets that belong to a target company. Which technique is MOST effective for this purpose?

A.Scanning the target's IP ranges for open ports 443
B.Using dnsdumpster.com to find subdomains
C.Guessing bucket names based on common patterns
D.Querying Google dorks for 'site:s3.amazonaws.com [target_company]'
AnswerD

Google dorking using the site operator to search 's3.amazonaws.com' with the company name can find publicly listed bucket URLs. This is a proven passive reconnaissance technique.

Why this answer

Option D is correct because Google dorks allow a penetration tester to search for indexed S3 bucket URLs that contain the target company's name, revealing publicly accessible buckets without direct interaction with the target's infrastructure. This technique leverages Google's crawlers to find buckets that may have been inadvertently exposed or misconfigured, making it highly effective for passive reconnaissance.

Exam trap

The trap here is that candidates may think DNS enumeration (Option B) or port scanning (Option A) are effective for discovering cloud storage resources, but these methods fail because S3 buckets are external to the target's network and are not tied to the target's DNS or IP ranges.

How to eliminate wrong answers

Option A is wrong because scanning the target's IP ranges for open port 443 (HTTPS) does not specifically identify S3 buckets; S3 buckets are hosted on Amazon's infrastructure (e.g., s3.amazonaws.com) and not on the target's own IP ranges, so this would miss buckets entirely. Option B is wrong because dnsdumpster.com is used for DNS enumeration to find subdomains, but S3 bucket names are not DNS subdomains of the target company; they are separate AWS resources with names like 'bucket-name.s3.amazonaws.com' that do not appear in the target's DNS records. Option C is wrong because guessing bucket names based on common patterns is inefficient and unreliable; while it might occasionally succeed, it is not the most effective method compared to using search engines that index actual bucket URLs.

10
MCQhard

A vulnerability scanner reports an unauthenticated critical finding on an internal server. Manual testing shows the vulnerable package is present, but the vulnerable service is disabled and not reachable. How should the tester report this?

A.Report the finding with contextual risk adjustment and explain that the vulnerable service is disabled and not reachable.
B.Delete the finding because the package exists but is not currently exploitable.
C.Report it as critical without context because the scanner assigned critical severity.
D.Exploit the service by enabling it first.
AnswerA

This preserves evidence while avoiding overstating exploitability.

Why this answer

Option A is correct because the vulnerability scanner identified a real package vulnerability, but manual verification revealed the service is disabled and unreachable. The tester must report the finding with a contextual risk adjustment to accurately reflect the reduced exploitability, as per standard risk assessment practices in penetration testing. This ensures the organization understands the actual risk without ignoring the presence of the vulnerable package, which could be enabled in the future.

Exam trap

The trap here is that candidates may assume any scanner-reported critical finding must be reported as-is, ignoring the penetration tester's duty to validate and contextualize findings based on actual service state and reachability.

How to eliminate wrong answers

Option B is wrong because deleting the finding ignores the presence of the vulnerable package, which could be enabled later by an administrator or attacker, leading to a false sense of security. Option C is wrong because reporting it as critical without context disregards the tester's responsibility to validate scanner results and adjust risk based on actual exploitability, as the service is disabled and unreachable. Option D is wrong because enabling the service to exploit it is unethical, violates testing scope, and could cause unintended disruption or security breaches.

11
Multi-Selectmedium

A penetration tester is performing information gathering for a web application. Which of the following are passive information gathering techniques? (Select THREE).

Select 3 answers
A.DNS zone transfer
B.Source code review from public repositories
C.Port scanning
D.SSL/TLS certificate inspection
E.WHOIS lookup
AnswersB, D, E

Reviewing code on GitHub or similar is passive.

Why this answer

Options B, D, and E are correct because they involve querying public data without sending packets to the target. Option A can be active if performed directly; Option C is active scanning.

12
MCQmedium

A penetration tester wants to enumerate user accounts and SMB shares from a Windows machine without authenticating. Which tool is specifically designed for this purpose and is commonly used in Linux penetration testing distributions?

A.nmap
B.enum4linux
C.smbclient
D.hydra
AnswerB

Correct. enum4linux is a wrapper around tools like Samba, rpcclient, and net, designed to enumerate users, groups, shares, and OS info from Windows hosts via SMB and RPC without authentication.

Why this answer

enum4linux is specifically designed to enumerate user accounts, SMB shares, and other information from Windows machines via the SMB protocol without requiring authentication. It leverages the SMB null session vulnerability (CVE-1999-0504) to query the remote system for data such as user lists, share lists, and OS details, making it a standard tool in Linux penetration testing distributions like Kali Linux.

Exam trap

The trap here is that candidates often confuse enum4linux with smbclient or nmap, thinking that any SMB-related tool can perform null session enumeration, but enum4linux is the only one specifically built to automate this process without authentication.

How to eliminate wrong answers

Option A is wrong because nmap is a general-purpose network scanner that can discover open ports and services, but it is not specifically designed for enumerating SMB user accounts and shares without authentication; it requires scripts like smb-enum-users.nse to perform such tasks, and even then it is not the dedicated tool for this purpose. Option C is wrong because smbclient is an interactive SMB client used to access shared resources after authentication or with a null session, but it is not primarily designed for enumeration of user accounts and shares without authentication; it requires manual interaction and does not automate the enumeration process. Option D is wrong because hydra is a password brute-forcing tool used for attacking authentication services, not for enumerating user accounts or SMB shares without authentication; it requires valid credentials or a list of usernames to attempt logins.

13
MCQhard

During a penetration test, a tester identifies that the target's network uses Private VLANs to isolate hosts. Which technique can be used to bypass this isolation and perform ARP spoofing?

A.ARP cache poisoning from the switch
B.MAC flooding
C.Double tagging
D.VLAN hopping
AnswerD

VLAN hopping (e.g., double tagging) can bypass Private VLAN isolation by sending frames to another VLAN.

Why this answer

Private VLANs isolate hosts within the same VLAN by restricting traffic at the switch level. VLAN hopping (option D) allows an attacker to bypass this isolation by exploiting the switch's trunking protocol (e.g., DTP) to negotiate a trunk link, enabling the attacker to send and receive frames on multiple VLANs, including the target's community or isolated VLAN, thus facilitating ARP spoofing across the Private VLAN boundaries.

Exam trap

CompTIA often tests the distinction between VLAN hopping methods (DTP-based vs. double tagging), and the trap here is that candidates confuse double tagging with the general concept of VLAN hopping, but double tagging is not effective against Private VLANs because it relies on native VLAN misconfigurations on trunk ports, whereas DTP-based hopping directly negotiates a trunk to access all VLANs.

How to eliminate wrong answers

Option A is wrong because ARP cache poisoning from the switch is not a standard attack vector; ARP spoofing targets end hosts, not the switch's ARP cache, and switches do not maintain ARP caches for forwarding decisions in the same way routers do. Option B is wrong because MAC flooding overwhelms the switch's CAM table to force it into hub mode, which can allow sniffing within the same VLAN but does not bypass Private VLAN isolation, as Private VLANs enforce traffic restrictions at the switch level regardless of CAM table state. Option C is wrong because double tagging is a VLAN hopping technique that works by adding two 802.1Q tags to a frame, but it is effective only against trunk ports with native VLAN mismatches and does not directly bypass Private VLAN isolation, which operates on access ports with Private VLAN configuration.

14
MCQmedium

A penetration tester is conducting passive reconnaissance against a target domain. The tester wants to discover all subdomains associated with the domain without making any direct DNS queries to the target's authoritative servers. Which technique is BEST suited for this purpose?

A.Using the 'nslookup' command to query the domain's DNS server
B.Querying certificate transparency logs using a site like crt.sh
C.Performing a DNS zone transfer
D.Using the 'whois' lookup to gather domain registration info
AnswerB

Correct. Certificate transparency logs are public and contain all domains/subdomains that have SSL/TLS certificates issued, providing passive subdomain discovery.

Why this answer

Certificate transparency logs, accessible via sites like crt.sh, provide a historical record of all SSL/TLS certificates issued for a domain, including those for subdomains. Querying these logs allows a tester to discover subdomains without making any direct DNS queries to the target's authoritative servers, thus remaining fully passive and avoiding detection.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with techniques that are technically passive from the tester's perspective but still generate network traffic to the target, such as querying public DNS resolvers or using search engines, whereas certificate transparency logs are truly passive as they rely on third-party data repositories.

How to eliminate wrong answers

Option A is wrong because using 'nslookup' to query the domain's DNS server involves direct DNS queries to the target's authoritative servers, which is active reconnaissance and can be logged or detected. Option C is wrong because performing a DNS zone transfer requires a direct connection to the target's DNS server and typically fails unless the server is misconfigured to allow unauthorized transfers; it is also an active technique that generates network traffic.

15
MCQhard

You are a penetration tester hired to assess the security of a mid-sized company. The company's internal network consists of a web server running Apache 2.4.29 on Ubuntu 18.04, a database server with MySQL 5.7 on CentOS 7, and a file server running Samba 4.8 on a separate Linux distribution. You are given a standard domain user account with limited privileges. After initial reconnaissance, you discover that the web server has a SQL injection vulnerability in its login form. However, when you attempt to exploit it with SQLmap, the web application firewall (WAF) blocks all your payloads. You also notice that the file server is accessible via SMB with guest access enabled, allowing you to list shares without authentication. The database server is isolated on a separate VLAN and is not directly accessible from your workstation. Which of the following actions should you take NEXT to further your assessment?

A.Use SQLmap with --tamper scripts to bypass the WAF
B.Scan the file server for vulnerabilities using Nmap NSE scripts
C.Attempt to brute-force the MySQL root password on the database server
D.Conduct a phishing campaign against employees to gain elevated credentials
AnswerB

The SMB guest access provides a direct opportunity to enumerate the file server and potentially find vulnerabilities (e.g., EternalBlue) that could lead to system compromise.

Why this answer

With guest access to the SMB file server, you can probe it for vulnerabilities using Nmap's scripting engine (NSE). This could reveal additional weaknesses that might provide a foothold or lateral movement paths. Attempting to bypass the WAF immediately (option A) is possible but may be time-consuming and less likely to succeed without more information.

Brute-forcing the MySQL root password (option C) is not feasible because you cannot reach the database server directly. Phishing (option D) is an option but it does not leverage the current access and may not be the most efficient next step.

16
MCQeasy

During the reconnaissance phase, a penetration tester wants to identify subdomains of a target domain without making direct requests to the target's own DNS servers. Which technique would be BEST for this purpose?

A.Using the 'nslookup' command interactively
B.Performing a zone transfer
C.Using search engines and public certificate transparency logs
D.Using the 'host' command
AnswerC

These sources aggregate data from external observations and do not require contacting the target, thus are passive.

Why this answer

Option C is correct because search engines (e.g., Google dorking) and public certificate transparency logs (e.g., crt.sh) allow a tester to discover subdomains by querying aggregated historical DNS and TLS certificate data, without sending any queries to the target's authoritative DNS servers. This passive reconnaissance technique avoids alerting the target's infrastructure and complies with the requirement of no direct requests to the target's DNS servers.

Exam trap

CompTIA often tests the distinction between active and passive reconnaissance, and the trap here is that candidates may choose zone transfer (Option B) because it is a well-known DNS enumeration technique, but they overlook that it requires direct contact with the target's DNS server and is typically blocked, whereas certificate transparency logs provide a passive alternative that avoids direct interaction.

How to eliminate wrong answers

Option A is wrong because using 'nslookup' interactively sends DNS queries directly to the target's DNS servers (or configured resolvers), which violates the requirement of not making direct requests to the target's own DNS servers. Option B is wrong because performing a zone transfer (AXFR) requires a direct TCP connection to the target's authoritative DNS server on port 53, and most modern DNS servers are configured to deny zone transfers except to authorized secondary servers, making it both a direct request and often unsuccessful.

17
MCQeasy

A penetration tester is conducting information gathering on a target organization. The tester discovers a public code repository that contains configuration files with embedded credentials. Which of the following is the BEST next step?

A.Notify the organization's security team of the exposed credentials.
B.Attempt to crack the passwords to gain further access.
C.Document the findings and proceed with passive reconnaissance.
D.Use the credentials to log into the target system immediately.
AnswerA

This is the ethical and professional course of action to mitigate risk.

Why this answer

Option A is correct because the tester has discovered exposed credentials in a public code repository, which is a critical security finding that requires immediate disclosure to the organization's security team. Ethical penetration testing mandates that any discovered vulnerabilities, especially those involving credential exposure, be reported promptly to prevent unauthorized access and potential data breaches. Proceeding with further exploitation without authorization violates the rules of engagement and could cause legal or operational harm.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with active exploitation, thinking that documenting and moving on is sufficient, when in fact exposed credentials demand immediate action to prevent real-world compromise.

How to eliminate wrong answers

Option B is wrong because attempting to crack the passwords is an active exploitation step that goes beyond passive information gathering and violates the scope of engagement without prior authorization. Option C is wrong because documenting the findings and proceeding with passive reconnaissance ignores the urgency of exposed credentials, which could be exploited by malicious actors in the meantime. Option D is wrong because using the credentials to log into the target system immediately constitutes unauthorized access and is a violation of ethical hacking principles and legal boundaries.

18
MCQeasy

A penetration tester wants to discover email addresses associated with a target domain (example.com) without sending any network packets to the target's systems. Which technique is BEST suited for this?

A.Google dorking
B.DNS brute forcing
C.WHOIS lookup
D.SMB enumeration
AnswerA

Google dorking can reveal email addresses from public sources indexed by search engines, requiring no direct interaction with the target.

Why this answer

Google dorking uses advanced search operators (e.g., site:example.com intext:@example.com) to index publicly available information from Google's cached pages, allowing discovery of email addresses without sending any packets to the target's infrastructure. This passive reconnaissance technique relies solely on pre-existing search engine data, making it ideal for avoiding direct interaction with the target.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with techniques like DNS brute forcing or WHOIS lookups, but DNS brute forcing is active (sends packets) and WHOIS lookups only yield limited administrative contacts, not the broad email discovery that Google dorking provides.

How to eliminate wrong answers

Option B (DNS brute forcing) is wrong because it involves sending DNS queries to the target's name servers to enumerate subdomains, which generates network packets and active interaction with the target's systems. Option C (WHOIS lookup) is wrong because while it is passive, it typically returns administrative and technical contact emails (e.g., admin@example.com) rather than a broad set of user email addresses associated with the domain, and it queries public WHOIS databases, not the target's own systems.

19
MCQeasy

A penetration tester wants to discover all subdomains of a target domain without directly querying the target's DNS servers to avoid detection. Which technique is most appropriate?

A.DNS zone transfer
B.Brute-force subdomain enumeration using a wordlist
C.Passive DNS enumeration using public data sources
D.SNMP community string enumeration
AnswerC

Passive enumeration relies on publicly available records and does not require sending packets to the target, thus avoiding detection.

Why this answer

Passive DNS enumeration leverages public data sources such as certificate transparency logs, search engine caches, and passive DNS databases (e.g., VirusTotal, SecurityTrails) to discover subdomains without sending any queries to the target's authoritative DNS servers. This approach avoids generating DNS traffic that could be logged or detected by the target's monitoring systems, making it ideal for stealthy reconnaissance.

Exam trap

The trap here is that candidates may confuse passive enumeration with brute-force or zone transfer techniques, overlooking the explicit requirement to avoid direct DNS queries and detection, which only passive methods satisfy.

How to eliminate wrong answers

Option A is wrong because DNS zone transfer (AXFR) requires the target's DNS server to be misconfigured to allow unrestricted zone transfers, and it directly queries the target's DNS server, which would be detected. Option B is wrong because brute-force subdomain enumeration using a wordlist involves sending numerous DNS queries to the target's DNS servers to test each subdomain, generating detectable traffic and defeating the requirement to avoid direct queries.

20
MCQmedium

A penetration tester wants to identify all subdomains for a target domain using only public records. Which technique is most effective for this purpose?

A.Searching crt.sh (Certificate Transparency logs).
B.DNS zone transfer.
C.Using Nmap to brute-force subdomains.
D.Querying the domain's MX records.
AnswerA

Certificate logs are public and contain SAN entries, making them an excellent source for passive subdomain enumeration. Tools like crt.sh or digicert can be queried.

Why this answer

Certificate Transparency logs, accessible via crt.sh, are a public record of all SSL/TLS certificates issued for a domain. Since certificates often include Subject Alternative Names (SANs) listing subdomains, querying crt.sh reveals subdomains without any interaction with the target's infrastructure. This technique is passive, requires no authorization, and leverages mandatory logging per RFC 6962, making it highly effective for enumeration from public records.

Exam trap

The trap here is that candidates confuse 'public records' with 'active DNS queries' and choose DNS zone transfer (B) or brute-forcing (C), failing to recognize that Certificate Transparency logs are the only passive, public-record-based option listed.

How to eliminate wrong answers

Option B is wrong because DNS zone transfer (AXFR) is not a public record technique; it requires explicit server configuration to allow transfers, and modern DNS servers almost always restrict it to authorized secondary nameservers, making it a high-risk, active technique that rarely succeeds against hardened targets. Option C is wrong because using Nmap to brute-force subdomains is an active scanning technique that generates network traffic to the target's DNS servers, which is not 'using only public records' and can be detected or blocked, unlike passive methods.

21
MCQeasy

A penetration tester is performing passive reconnaissance on a target organization. Which of the following activities would be considered passive reconnaissance?

A.Scanning open ports on the target web server
B.Using a search engine to find exposed documents
C.Sending a crafted ICMP echo request to the target
D.Attempting a SQL injection on a login form
AnswerB

Correct. Search engines index publicly accessible data; this activity does not send traffic to the target.

Why this answer

Passive reconnaissance involves gathering information without directly interacting with the target's systems. Using a search engine to find exposed documents (e.g., via Google dorking) relies on publicly indexed data, which does not send any packets to the target's infrastructure. This aligns with the definition of passive reconnaissance as it leverages third-party sources rather than engaging the target directly.

Exam trap

The trap here is that candidates often confuse 'passive' with 'low-interaction' activities, mistakenly thinking that sending a single ICMP packet or a simple port scan is passive because it seems minimal, but any direct packet transmission to the target constitutes active reconnaissance.

How to eliminate wrong answers

Option A is wrong because scanning open ports on the target web server requires sending TCP or UDP packets to the target, which constitutes active reconnaissance as it directly interacts with the target's systems. Option C is wrong because sending a crafted ICMP echo request (ping) to the target is an active probe that elicits a response from the target's network stack, making it active reconnaissance, not passive.

22
MCQhard

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

A.The scanner used an outdated vulnerability database that does not match the application's patches
B.The scanner identified the application version from the HTTP response header, but the vulnerability was already patched in that version
C.The scanner detected a vulnerable library used by the application, but the application's implementation does not expose the vulnerable code path
D.The scanner performed an exploit attempt that succeeded on a different service on the same host
AnswerC

This is a classic false positive: the scanner sees the library version but cannot determine if the vulnerable functionality is reachable. The tester must manually validate.

Why this answer

Option C is correct because vulnerability scanners often identify libraries or components with known CVEs, but they cannot determine whether the application's code actually invokes the vulnerable functions. In this case, the scanner flagged a library with a known vulnerability, but the custom web application's implementation does not expose the vulnerable code path, resulting in a false positive. This is a common limitation of static or version-based detection versus dynamic, context-aware analysis.

Exam trap

The trap here is that candidates often assume a scanner's version-based detection is definitive, overlooking the fact that a vulnerable library may be present but not actively used in a way that exposes the vulnerability.

How to eliminate wrong answers

Option A is wrong because an outdated vulnerability database would more likely cause false negatives (missing real vulnerabilities) rather than false positives; a false positive typically arises from over-aggressive or version-based detection, not from missing patches. Option B is wrong because if the vulnerability was already patched in that version, the scanner should not report it based on the HTTP response header; this scenario would indicate a scanner misconfiguration or a bug, not a typical false positive cause, and the question specifies the application is not vulnerable, not that it was patched.

23
MCQmedium

A penetration tester is using a vulnerability scanner on a web application and notices that many findings are false positives caused by the scanner sending oversized payloads that the application truncates or rejects. Which scanner configuration change would MOST effectively reduce false positives in this scenario?

A.Increase the scan intensity to send more payloads
B.Enable safe checks or anti-false positive mode
C.Increase the HTTP request timeout
D.Disable vulnerability detection for certain plugins
AnswerB

Safe checks use additional verification steps to confirm a vulnerability before reporting it, reducing false positives.

Why this answer

Enabling safe checks or anti-false positive mode configures the scanner to send payloads that conform to expected application input constraints (e.g., length limits, character sets) rather than oversized or malformed payloads. This reduces false positives by ensuring that the scanner only reports vulnerabilities that are actually reachable and exploitable under normal application behavior, rather than triggering truncation or rejection logic that is not a security flaw.

Exam trap

The trap here is that candidates may confuse 'increasing scan intensity' with 'more thorough testing,' but in reality, it amplifies the very behavior (oversized payloads) that causes false positives, while 'safe checks' directly mitigates the root cause.

How to eliminate wrong answers

Option A is wrong because increasing scan intensity sends more payloads, which would likely increase the number of oversized payloads and thus increase false positives, not reduce them. Option C is wrong because increasing the HTTP request timeout only affects how long the scanner waits for a response; it does not change the payload size or content, so it cannot reduce false positives caused by payload truncation or rejection.

24
MCQeasy

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

A.T0 (Paranoid)
B.T1 (Sneaky)
C.T3 (Normal)
D.T5 (Insane)
AnswerA

T0 uses the slowest timing, ideal for stealth by spacing out packets to avoid IDS thresholds.

Why this answer

The T0 (Paranoid) timing template is the most appropriate because it introduces an extremely slow scan rate, sending packets at a rate of no more than one packet every 5 minutes (300 seconds). This slow pace is designed to evade threshold-based intrusion detection systems (IDS) that trigger alerts when they detect a high volume of traffic from a single source within a short time window, making it ideal for stealthy internal reconnaissance.

Exam trap

The trap here is that candidates often choose T1 (Sneaky) thinking it is 'stealthy enough' without realizing that the PT0-002 exam expects the most extreme option (T0) when the goal is to minimize detection, as any detectable pattern—even at 15-second intervals—can be caught by modern IDS/IPS systems.

How to eliminate wrong answers

Option B (T1 - Sneaky) is wrong because, while slower than normal, it sends packets at intervals of 15 seconds, which is still too fast for environments where the IDS has a low threshold for connection attempts and may still trigger alerts. Option C (T3 - Normal) is wrong because it uses the default timing template with no deliberate delay, sending packets as fast as the network and target allow, which is highly likely to be detected by any IDS monitoring for scan patterns.

25
MCQmedium

During an internal penetration test, a tester is trying to identify live hosts on a network segment. The tester wants to avoid generating a high volume of traffic or alerts. Which scanning technique is most appropriate for this task?

A.Full TCP connect scan on common ports
B.ICMP echo request sweep
C.SYN stealth scan on port 80 and 443
D.ARP ping scan
AnswerD

ARP scans are local, low-traffic, and often not monitored, making them ideal for stealthy host discovery on the same subnet.

Why this answer

An ARP ping scan (option D) is the most appropriate technique because it operates at Layer 2 (Data Link layer) using ARP requests to determine if an IP address is active on the local subnet. Since ARP traffic is confined to the local broadcast domain and does not generate IP-level packets, it produces minimal network traffic and is unlikely to trigger IDS/IPS alerts, making it ideal for stealthy host discovery on a local network segment.

Exam trap

The trap here is that candidates often choose a SYN stealth scan (option C) thinking it is the quietest option, but they overlook that ARP scans are even more stealthy and efficient for local subnet discovery because they avoid IP-layer detection entirely.

How to eliminate wrong answers

Option A is wrong because a full TCP connect scan completes the three-way handshake on every port, generating a high volume of traffic and easily triggering alerts on firewalls or intrusion detection systems. Option B is wrong because an ICMP echo request sweep sends ICMP packets that are often blocked or filtered by network devices, and the broadcast nature of ICMP can still produce noticeable traffic and alerts. Option C is wrong because a SYN stealth scan on ports 80 and 443, while stealthier than a full connect scan, still sends TCP SYN packets that traverse Layer 3 and can be detected by network monitoring tools; it also limits discovery to only two ports, potentially missing live hosts that do not have those services open.

26
MCQeasy

A penetration tester receives the JSON output above from a vulnerability scanner. Which of the following actions should the tester take FIRST to validate this finding?

A.Manually submit the same payload to the endpoint to confirm the error.
B.Immediately report the finding as critical.
C.Check if the application has a WAF in place.
D.Re-run the scan with a different payload.
AnswerA

Manual verification is the standard first step to confirm a scanner finding.

Why this answer

Option A is correct because manually submitting the same payload confirms the scanner result and eliminates false positives. Option B is premature; Option C skips verification; Option D is not the first step.

27
MCQeasy

A penetration tester is performing a port scan on a target network and receives no response to SYN packets sent to port 443. However, the service is known to be running. Which scanning technique should the tester use next to confirm the service?

A.SYN scan
B.TCP connect scan
C.UDP scan
D.Idle scan
AnswerB

Completes the handshake and can bypass firewall rules that drop SYN packets.

Why this answer

Option B (TCP connect scan) is correct because when a SYN scan receives no response to port 443, it may indicate that a firewall or packet filter is dropping the SYN packets. A TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK), which can bypass some stateless firewall rules that only block initial SYN packets but allow established connections. This technique confirms the service by successfully establishing a connection, even if SYN packets are filtered.

Exam trap

The trap here is that candidates assume a SYN scan is always the best stealth option, but when SYN packets are filtered, completing the TCP handshake (connect scan) can bypass simple stateless firewall rules that drop initial SYN packets.

How to eliminate wrong answers

Option A (SYN scan) is wrong because it is the technique that already failed—sending SYN packets to port 443 received no response, so repeating the same scan will not yield different results. Option C (UDP scan) is wrong because port 443 is used for HTTPS (TCP), not UDP; a UDP scan would be irrelevant for confirming a TCP-based service. Option D (Idle scan) is wrong because it is a stealth technique used to spoof the source IP via a zombie host, not a method to confirm a service when SYN packets are filtered; it would still rely on SYN packets and would not bypass the filtering issue.

28
MCQmedium

A penetration tester is performing a vulnerability scan of a network and finds that one server is running an outdated version of OpenSSL. Which of the following is the most likely security implication of this finding?

A.The server is vulnerable to SQL injection
B.The server is vulnerable to cross-site scripting
C.The server is vulnerable to buffer overflow
D.The server is vulnerable to Heartbleed
AnswerD

Heartbleed is a specific OpenSSL vulnerability (CVE-2014-0160) that affects versions 1.0.1 through 1.0.1f.

Why this answer

Outdated versions of OpenSSL, particularly versions 1.0.1 through 1.0.1f, are vulnerable to the Heartbleed bug (CVE-2014-0160). This vulnerability allows an attacker to read up to 64 KB of memory from the server's heap, potentially exposing private keys, session tokens, and other sensitive data. The Heartbleed bug is a specific buffer over-read vulnerability in the TLS/DTLS heartbeat extension, making D the correct answer.

Exam trap

The trap here is that candidates may confuse 'buffer overflow' (a write-based code execution vulnerability) with 'buffer over-read' (a read-based information disclosure like Heartbleed), leading them to select option C instead of the more specific and correct answer D.

How to eliminate wrong answers

Option A is wrong because SQL injection is a web application vulnerability caused by improper input sanitization in database queries, not a flaw in the OpenSSL cryptographic library. Option B is wrong because cross-site scripting (XSS) is a client-side injection vulnerability in web applications, unrelated to the OpenSSL protocol implementation. Option C is wrong because while Heartbleed is technically a buffer over-read (a type of memory safety issue), the term 'buffer overflow' typically refers to a buffer write overflow (e.g., stack or heap overflow) that allows code execution, whereas Heartbleed is a read-only over-read that leaks memory contents without allowing arbitrary code execution.

29
MCQhard

A PenTest team is planning to perform a physical social engineering engagement to gather information from a client's facility. Which of the following reconnaissance techniques would be LEAST likely to be detected?

A.Shoulder surfing
B.Email phishing
C.Tailgating
D.Dumpster diving
AnswerD

Dumpster diving is passive physical reconnaissance and rarely triggers alarms.

Why this answer

Option A is correct because dumpster diving is a physical, low-tech method that often goes unnoticed. Options B, C, and D involve direct interaction and have higher detection risk.

30
MCQmedium

A penetration tester is conducting information gathering on a target company. The company has an internal Confluence wiki that is only accessible from within the corporate network. The tester wants to discover any externally accessible references to the wiki without actively interacting with the target's systems. Which of the following techniques would be MOST effective?

A.Query the target's TLS certificate transparency logs for subdomains
B.Search for exposed Confluence login pages on Shodan
C.Use the Wayback Machine to find historical public references
D.Perform a zone transfer on the target's DNS servers
AnswerA

Certificate transparency logs list subdomains with SSL certs, which may include internal services.

Why this answer

Querying TLS certificate transparency logs is the most effective technique because it allows the tester to discover subdomains associated with the target's domain without any active interaction. Certificate Transparency (CT) logs are publicly accessible records of all SSL/TLS certificates issued by Certificate Authorities (CAs), and they often include subdomains that may point to internal services like Confluence if they were ever exposed via a public certificate. This passive reconnaissance method reveals externally accessible references that the target may have inadvertently made public.

Exam trap

The trap here is that candidates may think Shodan is a passive reconnaissance tool, but querying Shodan for specific services like Confluence login pages still involves active probing of the target's IP addresses, which counts as active interaction in the context of this question.

How to eliminate wrong answers

Option B is wrong because searching for exposed Confluence login pages on Shodan requires active scanning of the target's IP ranges, which constitutes active interaction with the target's systems, violating the requirement to avoid active interaction. Option C is wrong because the Wayback Machine archives historical snapshots of publicly accessible web pages, but it would only contain references to the Confluence wiki if those pages were previously publicly accessible on the internet, which is unlikely for an internal-only wiki. Option D is wrong because performing a zone transfer on the target's DNS servers is an active DNS query technique that requires direct interaction with the target's DNS infrastructure, and most modern DNS servers are configured to deny zone transfers to unauthorized hosts.

31
MCQmedium

A penetration tester is performing internal reconnaissance from a compromised host and wants to map the local network without sending any packets. Which technique is most suitable?

A.Use tcpdump to passively capture and analyze broadcast traffic.
B.Send ARP requests to all possible IP addresses using a ping sweep.
C.Query the local DNS server for all host records in the domain.
D.Use traceroute to discover network paths.
AnswerA

Passive capture of broadcast frames (ARP, DHCP, etc.) reveals live hosts and their IP addresses without sending a single packet.

Why this answer

Option A is correct because tcpdump can passively capture broadcast traffic (e.g., ARP, NetBIOS, mDNS) without sending any packets. This allows the tester to map active hosts and services on the local network by listening to existing network chatter, fulfilling the 'no packets sent' constraint.

Exam trap

The trap here is that candidates may assume 'passive' techniques like tcpdump still require sending packets, or they confuse passive capture with active scanning methods like ARP sweeps or DNS queries, which inherently generate network traffic.

How to eliminate wrong answers

Option B is wrong because sending ARP requests as part of a ping sweep generates packets on the network, violating the requirement to avoid sending any packets. Option C is wrong because querying the local DNS server sends a DNS query packet, which is an active network request; it also may not reveal all host records due to DNS caching or security configurations like zone transfer restrictions.

32
MCQmedium

During an internal penetration test, a tester discovers that the client's network uses ARP poisoning to intercept traffic for security monitoring. The tester wants to enumerate live hosts without being detected by network monitoring tools. Which of the following is the BEST approach?

A.Use passive network sniffing to capture broadcast traffic
B.Perform a UDP scan
C.Perform a SYN scan with decoys
D.Use ARP requests to discover hosts
AnswerA

Passive sniffing collects broadcast packets like ARP and DHCP without sending anything.

Why this answer

Option D is correct because passive network sniffing captures broadcast traffic without generating any packets, avoiding detection. Option A generates ARP traffic; Option B generates SYN packets; Option C generates UDP packets.

33
MCQmedium

Based on the Nmap output above, which of the following conclusions is MOST accurate regarding the target host?

A.The host is running Linux because SSH is open.
B.The host is running a web server on port 8080.
C.The SSH service is configured to use a non-standard port.
D.A firewall is likely blocking access to port 8080.
AnswerD

Filtered state typically results from a firewall dropping packets.

Why this answer

Option B is correct because 'filtered' indicates a firewall or ACL is blocking access to port 8080. Option A is wrong because filtered means state unknown; Option C is wrong because SSH is on standard port 22; Option D is not definitive from this scan alone.

34
MCQmedium

A penetration tester is conducting an internal network scan and wants to minimize the chance of being detected by an intrusion detection system (IDS). Which TCP scan type is most likely to evade detection?

A.TCP connect scan
B.SYN scan
C.FIN scan
D.UDP scan
AnswerC

A FIN scan sends only FIN packets. Many systems and IDS do not log these as intrusively, though some modern firewalls may detect them. It is generally considered more stealthy than SYN or connect scans.

Why this answer

A FIN scan sends a TCP packet with only the FIN flag set, which is less likely to trigger IDS signatures that are tuned to detect common SYN-based scans. Many IDS systems monitor for SYN packets as they initiate connections, but a FIN scan exploits the fact that closed ports respond with an RST packet, while open ports ignore the FIN (per RFC 793), allowing the tester to infer port state without completing a full handshake.

Exam trap

The trap here is that candidates assume SYN scans are stealthier because they are 'half-open,' but CompTIA often tests that FIN scans evade IDS better because they avoid the SYN packet that triggers common detection signatures.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan uses the full three-way handshake (SYN, SYN-ACK, ACK), which is easily logged by the target system and detected by IDS as a standard connection attempt. Option B is wrong because a SYN scan (half-open scan) sends a SYN packet and waits for a SYN-ACK, but many IDS systems are specifically configured to flag rapid SYN packets as a port scan, making it more detectable than a FIN scan.

35
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify the technologies and frameworks used by the target's web application without making any requests to the target's servers. Which resource is BEST suited for this task?

A.Nmap service scan with -sV
B.Shodan.io
C.BuiltWith.com
D.Wappalyzer browser extension
AnswerC

BuiltWith.com is a passive reconnaissance tool that catalogues technology profiles from public data, allowing identification of frameworks and libraries without interacting with the target.

Why this answer

BuiltWith.com is a passive reconnaissance resource that profiles web application technologies by analyzing publicly available data, such as JavaScript libraries, web frameworks, and analytics tools, without sending any requests to the target's servers. It aggregates information from various public sources and historical data, making it ideal for identifying technologies without direct interaction.

Exam trap

The trap here is that candidates often confuse Shodan.io's passive-looking interface with true passive reconnaissance, not realizing that Shodan's data is derived from active scanning, while BuiltWith.com relies on non-intrusive public data aggregation.

How to eliminate wrong answers

Option A is wrong because Nmap's -sV flag performs an active service scan that sends probes to the target's servers to determine service versions, which violates the passive reconnaissance requirement. Option B is wrong because Shodan.io is a search engine for internet-connected devices and services, but it primarily relies on active scanning data from its own crawlers and may not provide detailed web application technology stacks like frameworks or libraries without making requests to the target.

36
MCQmedium

A penetration tester is using a vulnerability scanner to assess a web application. The scanner reports a 'SQL Injection' finding with a high confidence level. However, manual verification of the same payload does not trigger the vulnerability in a browser. Which of the following is the most likely reason for this discrepancy?

A.The scanner used a different HTTP method than the one used in manual testing
B.The scanner's payloads were URL-encoded differently
C.The vulnerability exists only in the scanner's simulated environment
D.The scanner might have generated a false positive due to a misinterpretation of the server's response
AnswerD

False positives are common in automated scanners. The scanner may have incorrectly flagged a response as vulnerable when manual testing proves otherwise.

Why this answer

The most likely reason is that the scanner generated a false positive due to a misinterpretation of the server's response. Vulnerability scanners often infer SQL injection based on response patterns (e.g., database error messages, timing differences) that may not actually be exploitable. Manual verification in a browser failed because the payload did not produce a true SQL error or data leak, confirming the scanner's alert was incorrect.

Exam trap

CompTIA often tests the concept that automated scanners can produce false positives due to response misinterpretation, and candidates mistakenly choose option C (simulated environment) because they confuse the scanner's internal test logic with an actual isolated environment.

How to eliminate wrong answers

Option A is wrong because HTTP method differences (e.g., GET vs POST) could cause the scanner to test a different endpoint, but the question states the same payload was used; if the scanner used a different method, manual testing with the same method would still match. Option B is wrong because URL encoding differences (e.g., %27 vs ') would be normalized by the browser or server; manual testing typically uses the same encoding as the scanner's output. Option C is wrong because the scanner does not create a simulated environment; it sends real HTTP requests to the live web application, so the vulnerability cannot exist only in a simulated environment.

37
MCQhard

During passive reconnaissance, a penetration tester wants to compile a list of valid employee email addresses for a target company to be used in a future phishing campaign. Which technique is LEAST likely to be detected by the target or its security controls?

A.Using theHarvester to search public sources
B.Sending probe emails to validate addresses
C.Scraping LinkedIn profiles for email patterns
D.Mining GitHub repositories for company email patterns
AnswerD

Searching public GitHub repositories for email addresses is a purely passive activity with no direct interaction with the target, making it the least likely to be detected.

Why this answer

Option D is correct because mining GitHub repositories for email patterns is a passive reconnaissance technique that relies on publicly accessible code and commit histories. The target company has no visibility into GitHub's public data, and no direct interaction with the target's systems occurs, making it the least likely to trigger alerts or be detected by security controls such as IDS/IPS, email gateways, or network monitoring.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates mistakenly think scraping LinkedIn is passive, but LinkedIn's anti-scraping measures and the need for automated interaction make it an active technique that can be detected.

How to eliminate wrong answers

Option A is wrong because theHarvester actively queries public sources like search engines and PGP key servers, which can generate logs or rate-limiting alerts that the target might detect if they monitor for reconnaissance activity. Option B is wrong because sending probe emails directly interacts with the target's email infrastructure, triggering SMTP logs, SPF/DKIM checks, and potentially alerting security teams via email security gateways or honeypot accounts. Option C is wrong because scraping LinkedIn profiles requires automated access to LinkedIn's platform, which can be detected by LinkedIn's anti-scraping mechanisms and rate limiting, and the target may monitor for unusual profile viewing patterns.

38
MCQeasy

A tester is using the following Nmap command: nmap -sC -sV -p 1-65535 target_ip. What is the primary purpose of the -sC option?

A.Use default scripts
B.Scan all ports
C.Perform a version scan
D.Do a SYN scan
AnswerA

-sC enables default NSE scripts for service enumeration and vulnerability detection.

Why this answer

The -sC option in Nmap is equivalent to --script=default, which runs a collection of common, non-intrusive enumeration scripts against the target. These scripts perform tasks such as service banner grabbing, HTTP title extraction, and SSL/TLS certificate retrieval, providing valuable reconnaissance data without requiring manual script selection.

Exam trap

The trap here is that candidates confuse -sC with -sV or -sS, because all three options start with 's' and are commonly used together, but each has a distinct function that must be memorized for the exam.

How to eliminate wrong answers

Option B is wrong because scanning all ports is achieved by the -p 1-65535 argument, not by -sC. Option C is wrong because performing a version scan is the purpose of -sV, not -sC. Option D is wrong because a SYN scan is the default scan type when run as root, but it is explicitly invoked with -sS, not -sC.

39
Multi-Selecthard

A penetration tester is performing information gathering using DNS enumeration. Which of the following records can be queried to discover additional subdomains or hostnames? (Choose three.)

Select 3 answers
A.MX
B.NS
C.PTR
D.A
E.CNAME
AnswersA, B, D

MX records disclose mail exchange servers, which can be additional hostnames.

Why this answer

The A record maps a hostname to an IPv4 address. During DNS enumeration, querying A records for known subdomains or performing a brute-force of common hostnames (e.g., admin.example.com, mail.example.com) can reveal additional subdomains and hostnames by returning valid IP addresses. This is a standard technique in reconnaissance to expand the attack surface.

Exam trap

The trap here is that candidates often think PTR records are useful for forward DNS enumeration, but they require a known IP and are used in reverse lookups, not for discovering subdomains from a domain name.

40
MCQmedium

A penetration tester is performing reconnaissance on a target organization. The tester wants to discover the internal IP address scheme used by the company without making any direct connections to the company's network. Which technique is MOST effective for this purpose?

A.DNS zone transfer
B.WHOIS lookup
C.Analyzing job postings for technical requirements
D.Using Shodan to find exposed devices
AnswerC

Job ads often list specific technologies, IP ranges, or infrastructure details inadvertently.

Why this answer

Analyzing job postings for technical requirements is the most effective technique because it allows the tester to infer the internal IP address scheme without making any direct connections to the target network. Job postings often list specific technical skills, such as experience with certain subnet masks (e.g., /24, /16) or network ranges (e.g., 10.x.x.x, 192.168.x.x), which can reveal the internal addressing structure used by the organization. This passive reconnaissance method relies on publicly available information, avoiding any network traffic that could trigger detection.

Exam trap

The trap here is that candidates often assume DNS zone transfer (Option A) is the best passive technique, but they overlook that it requires an active query and is rarely successful due to security controls, while job postings are a truly passive and often overlooked source of internal network information.

How to eliminate wrong answers

Option A is wrong because DNS zone transfer requires a direct connection to the target's DNS server and is typically disabled for security reasons (e.g., via allow-transfer restrictions), making it unreliable and not passive. Option B is wrong because WHOIS lookup provides registration details like domain ownership and contact information, but it does not disclose internal IP address schemes or subnetting practices.

41
MCQmedium

A penetration tester is performing active reconnaissance on a target network. The tester sends TCP SYN packets to a range of ports on a target host. Only a few ports respond with SYN-ACK packets. What does this indicate?

A.The host is protected by a firewall that drops all packets.
B.The ports that responded with SYN-ACK are open.
C.The host is running a stealthy IDS.
D.The network is using IPv6.
AnswerB

A SYN-ACK reply indicates that the port is open and the target is willing to establish a connection.

Why this answer

The TCP three-way handshake begins with a SYN packet; a SYN-ACK response indicates that the target port received the SYN and is willing to establish a connection, meaning the port is open and listening. Only ports that respond with SYN-ACK are confirmed open, while others may be closed or filtered, but the presence of any SYN-ACK replies directly indicates open ports.

Exam trap

The trap here is confusing the absence of a response (filtered) with a firewall dropping all packets, but the presence of any SYN-ACK replies proves that not all packets are dropped, and the correct interpretation is that responding ports are open.

How to eliminate wrong answers

Option A is wrong because a firewall that drops all packets would cause no SYN-ACK responses at all, not just a few; the tester received SYN-ACK replies, so packets are not being universally dropped. Option C is wrong because a stealthy IDS (Intrusion Detection System) monitors traffic and may generate alerts but does not alter TCP handshake responses; the SYN-ACK replies are a network-layer behavior from the target host, not an IDS action.

42
MCQhard

A penetration tester wants to identify the web server software and version used by a target organization without sending any packets to the target's infrastructure. Which of the following techniques is most effective for this purpose?

A.Use Shodan to search for the target's IP address or domain and review the gathered banners.
B.Perform a DNS zone transfer to obtain internal server information.
C.Use netcat to connect to port 80 and read the HTTP banner.
D.Use nmap -sV with a delayed scan to avoid detection.
AnswerA

Shodan's database contains data from previous scans, including HTTP server headers, banners, and other service fingerprints. This is a purely passive technique that leverages publicly available data.

Why this answer

Shodan is a search engine that continuously scans the internet and stores service banners from various ports. By querying the target's IP address or domain, the penetration tester can retrieve previously collected HTTP headers and other service banners without sending any packets to the target, thus achieving passive reconnaissance.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-and-slow active scanning, mistakenly believing that techniques like delayed nmap scans or netcat connections are passive when they still generate detectable network traffic.

How to eliminate wrong answers

Option B is wrong because a DNS zone transfer is an active query that sends a request to the target's DNS server, and it typically reveals internal hostnames, not web server software or version banners. Option C is wrong because using netcat to connect to port 80 sends a TCP SYN packet to the target, which is an active technique that generates network traffic and can be detected. Option D is wrong because nmap -sV performs active service version detection by sending probes to open ports, even with a delayed scan, it still transmits packets to the target infrastructure.

43
MCQmedium

A penetration tester runs a vulnerability scanner against a web server and receives a high-confidence alert that the server is vulnerable to Heartbleed (CVE-2014-0160). The tester manually verifies using an OpenSSL command and finds that the server is patched. Which of the following is the most likely cause of this false positive?

A.The scanner's vulnerability signatures are outdated and still flagging the old behavior
B.The scanner's plugin for Heartbleed was misconfigured and sent malformed packets
C.The server returned a generic error message that the scanner misinterpreted as a sign of the vulnerability
D.The scanner's network connection was intermittent, causing incomplete responses that were incorrectly flagged
AnswerA

An outdated signature database can cause the scanner to misinterpret server responses or fail to recognize that a patch has been applied, resulting in a false positive.

Why this answer

Option A is correct because outdated vulnerability signatures are the most common cause of false positives in vulnerability scanning. The scanner's signature database likely still contains the original detection logic for Heartbleed (e.g., checking for a specific TLS heartbeat response length or pattern), which the patched server no longer exhibits. When the tester manually verified with an OpenSSL command (e.g., `openssl s_client -connect target:443 -tlsextdebug`), the patched server correctly handled the heartbeat request, confirming the scanner's alert was based on stale signatures.

Exam trap

The trap here is that candidates may assume a false positive always results from network issues or misconfiguration, rather than recognizing that outdated scanner signatures are the primary cause when a manual test contradicts an automated scan.

How to eliminate wrong answers

Option B is wrong because a misconfigured plugin that sends malformed packets would likely cause a different error or no response at all, not a high-confidence false positive; Heartbleed detection relies on the server echoing back more data than requested, not on malformed packets. Option C is wrong because Heartbleed detection does not rely on generic error messages; it specifically checks for an oversized heartbeat response payload (e.g., a 64KB reply to a 1-byte request). Option D is wrong because intermittent network connections would produce incomplete or dropped responses, which would typically result in a low-confidence or inconclusive scan result, not a high-confidence false positive.

44
MCQeasy

A penetration tester wants to quickly identify which of the top 100 common ports are open on a target system, while minimizing network traffic and scan time. Which Nmap command is most appropriate?

A.nmap -p- target
B.nmap -T5 -F target
C.nmap -sn target
D.nmap -sV target
AnswerB

-F scans top 100 ports; -T5 uses aggressive timing for speed.

Why this answer

Option B is correct because the `-T5` flag sets the fastest timing template (insane), which reduces delays and speeds up the scan, while the `-F` flag (fast mode) limits scanning to only the top 100 most common ports as defined in Nmap's nmap-services file. This combination minimizes network traffic and scan time while quickly identifying open ports among the top 100, aligning with the goal of efficiency.

Exam trap

The trap here is that candidates often confuse `-F` with `-p-` or assume `-T5` alone is sufficient, failing to recognize that `-F` is the specific flag that restricts the scan to the top 100 ports, while `-T5` only accelerates the timing without changing the port list.

How to eliminate wrong answers

Option A is wrong because `-p-` scans all 65535 TCP ports, which generates maximum traffic and takes the longest time, directly contradicting the requirement to minimize network traffic and scan time. Option C is wrong because `-sn` performs a ping sweep (host discovery) using ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests; it does not scan any ports for open/closed status, so it cannot identify open ports. Option D is wrong because `-sV` enables version detection, which probes open ports to determine service versions, but it does not limit the port range to the top 100; without `-F`, it scans the default 1000 ports, and the version probing adds significant traffic and time, making it inefficient for the stated goal.

45
MCQhard

A penetration tester is performing a vulnerability scan on a web server that uses HTTPS. The tester wants to identify the server's SSL/TLS configuration weaknesses without overwhelming the server. Which Nmap command is most appropriate?

A.nmap -sV --script ssl-enum-ciphers -p 443 target
B.nmap -sT -A -T4 -p 443 target
C.nmap -sU -p 443 target
D.nmap -sC -p 443 target
AnswerA

This command runs the ssl-enum-ciphers script to enumerate SSL/TLS ciphers and weaknesses.

Why this answer

Option A is correct because the `ssl-enum-ciphers` NSE script enumerates all supported SSL/TLS ciphers and protocols on the target, providing a detailed assessment of cryptographic weaknesses (e.g., weak ciphers, outdated TLS versions). The `-sV` flag enables version detection, and `-p 443` targets the HTTPS port, while the script itself is designed to be lightweight and not overwhelm the server, making it ideal for a non-intrusive vulnerability scan.

Exam trap

The trap here is that candidates often choose `-sC` (default scripts) thinking it covers SSL checks, but it does not run the dedicated cipher enumeration script, which is the only option that specifically and safely identifies SSL/TLS weaknesses without aggressive scanning.

How to eliminate wrong answers

Option B is wrong because `-A` enables aggressive scanning (OS detection, version detection, script scanning, traceroute) and `-T4` sets a faster timing template, which can overwhelm the server and is not focused solely on SSL/TLS configuration weaknesses. Option C is wrong because `-sU` performs a UDP scan, but HTTPS (port 443) uses TCP, so this command would not properly assess the SSL/TLS configuration. Option D is wrong because `-sC` runs default NSE scripts, which may include some SSL-related checks but does not specifically enumerate ciphers and protocols in a targeted, non-overwhelming manner like `ssl-enum-ciphers` does.

46
Drag & Dropmedium

Drag and drop the steps to exploit a SQL injection vulnerability using sqlmap into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SQL injection exploitation requires first confirming vulnerability, then using sqlmap to enumerate and extract data.

47
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to discover subdomains of the target's domain without sending any packets to the target's network?

A.Performing a DNS brute-force attack against the target's domain
B.Using the 'site:' operator in a search engine query
C.Sending ICMP echo requests to potential subdomain IP addresses
D.Querying WHOIS databases for domain registration information
AnswerB

Search engines index subdomains; querying 'site:example.com' reveals them passively.

Why this answer

Option B is correct because using the 'site:' operator in a search engine query (e.g., 'site:example.com') retrieves indexed subdomains from the search engine's cache without sending any packets to the target's network. This is a purely passive technique that leverages publicly available data, aligning with the definition of passive reconnaissance.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with techniques that appear passive but still send packets (like DNS brute-force or ICMP echo requests), or they incorrectly assume WHOIS queries can enumerate subdomains when WHOIS only provides registration metadata.

How to eliminate wrong answers

Option A is wrong because a DNS brute-force attack sends DNS queries to the target's authoritative name servers, which are packets that reach the target's network infrastructure, making it an active technique. Option C is wrong because sending ICMP echo requests (ping) to potential subdomain IP addresses directly transmits packets to the target's network, which is active reconnaissance and violates the 'no packets' constraint. Option D is wrong because querying WHOIS databases retrieves registration information (e.g., registrar, contacts) but does not discover subdomains; WHOIS records typically contain domain ownership details, not subdomain listings.

48
MCQmedium

Refer to the exhibit. A penetration tester performed an Nmap scan of a target server and received the above output. The tester recalls that one of these services is associated with a well-known remote code execution vulnerability that can be exploited without authentication. Which service is most likely vulnerable?

A.HTTP (port 80)
B.SSH (port 22)
C.Microsoft-DS (port 445)
D.ms-wbt-server (port 3389)
AnswerC

SMB has a history of critical remote code execution flaws like EternalBlue that do not require authentication.

Why this answer

Port 445/tcp is Microsoft-DS (SMB). The SMB protocol has known remote code execution vulnerabilities such as EternalBlue (MS17-010) that can be exploited without authentication. SSH (option A) and HTTP (option B) typically require credentials or application-level vulnerabilities.

RDP (option D) has had vulnerabilities, but the most notorious unauthenticated RCE on SMB is EternalBlue.

49
MCQeasy

A penetration tester wants to identify the operating system of a remote host without sending any traffic to the target network. Which of the following techniques is most effective for this purpose?

A.Perform an nmap OS fingerprint scan on the host.
B.Use Shodan to search for the host's IP address and examine the service banners.
C.Send a ping sweep to the host's network segment.
D.Use ARP scanning to discover the host's MAC address and look up the vendor.
AnswerB

Shodan provides information gathered from previous scans, allowing for passive OS identification.

Why this answer

Option B is correct because Shodan is a search engine that indexes service banners and metadata from internet-connected devices. By querying Shodan for the target's IP address, the tester can retrieve previously collected OS information without sending any packets to the target, satisfying the 'no traffic' constraint.

Exam trap

The trap here is that candidates assume passive OS identification requires active scanning tools like nmap, overlooking that Shodan provides a passive, historical data source that avoids generating any traffic to the target.

How to eliminate wrong answers

Option A is wrong because nmap OS fingerprint scan actively sends TCP/IP probes (e.g., SYN, FIN, NULL packets) to the target host, generating network traffic. Option C is wrong because a ping sweep sends ICMP Echo Request packets to multiple hosts, which directly generates traffic on the target network. Option D is wrong because ARP scanning sends ARP request broadcasts to the local network segment, which creates traffic and only works for hosts on the same Layer 2 domain, not a remote host.

50
MCQmedium

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

A.Enable SYN scan instead of full TCP connect scan
B.Adjust the scan timing template to a slower rate
C.Activate the 'safe checks' option in the scanner
D.Increase the port range to include high ports
AnswerC

Correct. Safe checks perform non-intrusive testing, minimizing disruption and reducing false positives from exploitation attempts.

Why this answer

Option C is correct because the 'safe checks' option in vulnerability scanners (such as Nessus or OpenVAS) disables intrusive plug-ins that attempt to exploit services aggressively, which can cause service crashes. This configuration allows the scanner to identify potential vulnerabilities without disrupting the target service, avoiding misleading findings from crashed services.

Exam trap

The trap here is that candidates confuse scan rate adjustments (timing templates) or stealth techniques (SYN scan) with the ability to prevent service disruption, when in fact only disabling intrusive checks directly addresses the crashing issue.

How to eliminate wrong answers

Option A is wrong because enabling SYN scan (a half-open scan) only changes the TCP handshake method to reduce network noise and avoid connection logging, but it does not prevent the scanner from sending exploit payloads that crash services. Option B is wrong because adjusting the scan timing template to a slower rate reduces packet transmission speed to avoid network congestion or IDS alerts, but it does not disable the intrusive exploit attempts that cause service crashes. Option D is wrong because increasing the port range to include high ports expands the scope of the scan to discover more services, but it does not mitigate the aggressive exploitation behavior that crashes services.

51
MCQmedium

A penetration tester is conducting passive reconnaissance on a target organization using Google dorking. The tester wants to find PDF documents that may contain usernames and passwords. Which Google search query is most appropriate for this task?

A.site:target.com filetype:pdf password
B.site:target.com username password
C.site:target.com filetype:xls password
D.site:target.com intitle:'index of' password
AnswerA

This query restricts results to the target domain, only PDF files, and pages containing the word 'password'. It is the most direct way to find potential credential disclosures in PDF format.

Why this answer

Option A is correct because it uses the `filetype:pdf` operator to specifically target PDF documents, combined with the keyword `password` to find files likely containing credentials. Google dorking with `site:target.com` restricts results to the target domain, making this query efficient for passive reconnaissance of exposed sensitive information in PDFs.

Exam trap

CompTIA often tests the distinction between operators that filter by file type (`filetype:`) versus those that search for directory structures (`intitle:'index of'`), causing candidates to confuse passive reconnaissance techniques for document discovery with those for directory enumeration.

How to eliminate wrong answers

Option B is wrong because it lacks the `filetype:` operator, so it returns general web pages containing the words 'username' and 'password' rather than specific document files. Option C is wrong because it targets `filetype:xls` (Excel files), not PDF documents as specified in the question. Option D is wrong because `intitle:'index of'` is used to find directory listings, not PDF documents, and it does not include `filetype:pdf` to filter for PDFs.

52
MCQmedium

A penetration tester is using theHarvester tool to gather information about a target domain. The tester wants to collect email addresses and subdomains from public search engines and PGP key servers. Which source is theHarvester commonly configured to use for this passive reconnaissance?

A.Direct DNS zone transfer
B.Shodan
C.Baidu
D.Google and Bing search engines
AnswerD

theHarvester typically uses public search engines like Google and Bing, as well as PGP key servers, to find email addresses and subdomains in a passive manner.

Why this answer

Option D is correct because theHarvester is specifically designed to perform passive reconnaissance by querying public search engines (like Google and Bing) and PGP key servers to collect email addresses, subdomains, and other open-source intelligence (OSINT). It does not initiate direct connections to the target's infrastructure, making it a passive tool. The default configuration often includes Google and Bing as primary sources for this data.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with active techniques like DNS zone transfers (Option A) or assume Shodan (Option B) is a default source for theHarvester, when in fact theHarvester's core functionality relies on traditional search engines and PGP key servers for email and subdomain discovery.

How to eliminate wrong answers

Option A is wrong because a direct DNS zone transfer is an active reconnaissance technique that requires a misconfigured DNS server to allow AXFR requests, whereas theHarvester performs passive reconnaissance without interacting with the target's DNS servers. Option B is wrong because Shodan is a search engine for internet-connected devices and services, but theHarvester does not natively integrate Shodan as a source for email and subdomain collection; it focuses on search engines and PGP key servers. Option C is wrong because while Baidu is a search engine, theHarvester's common configurations prioritize Google and Bing due to their broader coverage and API accessibility for passive OSINT gathering.

53
MCQeasy

A penetration tester is tasked with performing passive reconnaissance against a client without triggering any alerts. Which of the following techniques would be MOST appropriate?

A.Nmap SYN scan
B.Shodan search
C.Brute-force login
D.Netcat banner grab
AnswerB

Shodan performs passive reconnaissance by querying its database of internet-facing devices.

Why this answer

Shodan is a search engine that indexes banners from internet-facing devices, allowing a penetration tester to gather information about a client's exposed services (e.g., open ports, software versions) without sending any packets to the target. This makes it a purely passive technique that will not trigger any alerts on the client's network or intrusion detection systems.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with low-and-slow active techniques, assuming that a single SYN scan or banner grab is 'quiet enough' to avoid detection, but any packet sent to the target is active and can be logged.

How to eliminate wrong answers

Option A is wrong because an Nmap SYN scan sends crafted TCP SYN packets to the target, which is an active reconnaissance technique that can be detected by firewalls and IDS/IPS. Option C is wrong because brute-force login attempts actively send authentication requests to a service, generating logs and potentially triggering account lockout or alerting mechanisms. Option D is wrong because a Netcat banner grab requires establishing a TCP connection to the target service, which is an active interaction that can be logged and detected.

54
MCQmedium

A penetration tester is performing internal reconnaissance. The tester discovers that the internal DNS server allows recursive queries from the tester's machine. Which technique can the tester use to enumerate internal hosts and network ranges?

A.Perform DNS cache snooping
B.Attempt a DNS zone transfer (AXFR)
C.Query for all SRV records
D.Perform a reverse DNS sweep of the entire subnet
AnswerB

A successful zone transfer gives a complete list of all hosts and subdomains within the zone.

Why this answer

B is correct because a DNS zone transfer (AXFR) allows a client to request a complete copy of the DNS zone from a DNS server. If the server is misconfigured to allow recursive queries and does not restrict AXFR requests, the tester can enumerate all internal hostnames and IP addresses, effectively mapping the internal network ranges.

Exam trap

The trap here is that candidates confuse the ability to perform recursive queries (which allows resolution of external names) with the ability to perform a zone transfer (which requires explicit AXFR permission), leading them to incorrectly choose DNS cache snooping or SRV record queries instead.

How to eliminate wrong answers

Option A is wrong because DNS cache snooping reveals cached queries (e.g., recently resolved domains) but does not enumerate internal hosts or network ranges; it only shows what has been queried. Option C is wrong because querying for all SRV records only returns service-specific records (e.g., _ldap._tcp.domain.com) and does not provide a full list of hosts or network ranges; it is not a comprehensive enumeration technique.

55
MCQeasy

Refer to the exhibit. A penetration tester has performed a basic Nmap scan and found an open MySQL service. Which of the following should the tester do NEXT to further investigate the MySQL service?

A.Perform a UDP scan on port 3306
B.Connect to the MySQL service using default credentials
C.Run a version detection scan using -sV on port 3306
D.Scan for other hosts with port 3306 open
AnswerC

Version detection reveals the MySQL version, aiding vulnerability assessment.

Why this answer

Option C is correct because the next logical step after discovering an open MySQL service (port 3306) is to perform version detection using `-sV` in Nmap. This identifies the exact MySQL version, which is critical for determining known vulnerabilities (CVEs) and appropriate exploitation techniques. Without version information, the tester cannot assess whether the service is outdated or misconfigured.

Exam trap

The trap here is that candidates may think default credential testing (Option B) is the immediate next step, but the PT0-002 exam emphasizes systematic information gathering—version detection must precede exploitation attempts to avoid unnecessary noise or failed attacks.

How to eliminate wrong answers

Option A is wrong because MySQL runs over TCP, not UDP; port 3306 is a TCP port, and a UDP scan would be irrelevant and waste time. Option B is wrong because attempting default credentials without first identifying the MySQL version or understanding the authentication mechanism is premature and could alert the target or lock out accounts. Option D is wrong because scanning for other hosts with port 3306 open is a broad reconnaissance step that should occur after understanding the current target's service details, not before.

56
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify all publicly accessible cloud storage buckets that might belong to the target without directly interacting with the target's infrastructure. Which of the following techniques would be most effective for this purpose?

A.Perform DNS enumeration using tools like `dnsrecon` to discover subdomains pointing to cloud storage services
B.Search for exposed cloud storage buckets using search engine dorks (e.g., 'site:s3.amazonaws.com target-company')
C.Query certificate transparency logs to find SSL certificates issued to the target's cloud storage endpoints
D.Perform a WHOIS lookup to find IP ranges owned by the target and then scan those ranges for open storage services
AnswerB

Search engine dorks are a passive technique that relies on cached indexes of cloud storage buckets that are misconfigured and publicly accessible, without sending any traffic to the target.

Why this answer

Option B is correct because search engine dorks allow a penetration tester to query publicly indexed content on cloud storage platforms like AWS S3 without sending any traffic to the target's infrastructure. By using a dork such as 'site:s3.amazonaws.com target-company', the tester leverages the search engine's pre-cached index to identify buckets that may be misconfigured or publicly accessible, which aligns perfectly with passive reconnaissance requirements.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with techniques that appear passive but actually generate direct network queries (like DNS enumeration), or they may overlook that certificate transparency logs reveal domains, not storage buckets, leading them to choose a technically passive but functionally irrelevant option.

How to eliminate wrong answers

Option A is wrong because DNS enumeration with tools like `dnsrecon` involves actively querying DNS servers, which generates network traffic to the target's authoritative name servers or resolvers, making it an active reconnaissance technique rather than passive. Option C is wrong because querying certificate transparency logs (e.g., via crt.sh) is a passive technique, but it reveals SSL certificates and domain names, not cloud storage buckets; it does not directly identify publicly accessible storage endpoints like S3 buckets.

57
MCQeasy

A penetration tester is performing passive reconnaissance to discover email addresses associated with a target domain. The tester wants to avoid sending any packets directly to the target's infrastructure. Which tool is most appropriate for this task?

A.Using the whois command to query domain registration details
B.Using Shodan to identify email servers and associated addresses
C.Using Google dorking with advanced search queries to find email addresses in indexed pages
D.Using theHarvester to search public sources like search engines, PGP key servers, and social media
AnswerD

TheHarvester is a passive reconnaissance tool that aggregates email addresses, subdomains, and other information from multiple public sources without sending traffic to the target, making it ideal for this scenario.

Why this answer

TheHarvester is designed specifically for passive reconnaissance, gathering email addresses, subdomains, and other data from public sources such as search engines, PGP key servers, and social media without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement to avoid direct interaction with the target domain.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates may confuse 'passive' with 'using public sources' and incorrectly choose Google dorking (Option C) because it seems passive, but theHarvester is the dedicated tool that systematically aggregates email addresses from multiple public sources, making it the most appropriate for this specific task.

How to eliminate wrong answers

Option A is wrong because the whois command queries domain registration details from WHOIS servers, which are not part of the target's infrastructure but still involve sending DNS queries that could be logged or traced, and it does not directly discover email addresses associated with the domain. Option B is wrong because Shodan actively scans the internet for exposed devices and services, including email servers, which involves sending packets to the target's infrastructure and is not passive reconnaissance. Option C is wrong because Google dorking uses search engines to find indexed pages, which is passive, but it is less efficient and targeted for discovering email addresses compared to theHarvester, which automates the process across multiple public sources.

58
Multi-Selectmedium

A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)

Select 2 answers
A.Shodan
B.Nmap
C.WHOIS database
D.hping3
AnswersA, C

Shodan aggregates data from active scans and makes it available for passive research.

Why this answer

Shodan is a search engine that scans the internet for devices and services, indexing banners and metadata from publicly exposed systems. Since it queries its own pre-collected database rather than sending packets to the target's network, it qualifies as passive reconnaissance. This allows a penetration tester to discover open ports, services, and even specific vulnerabilities associated with the target domain without direct interaction.

Exam trap

The trap here is that candidates often confuse 'passive' with 'stealthy' and incorrectly choose Nmap with options like -sS (stealth SYN scan), but any direct packet transmission to the target's network, regardless of stealth, constitutes active reconnaissance.

59
MCQmedium

A penetration tester is performing a vulnerability scan on a target network. The tester uses Nmap with the default NSE scripts against a web server. The scan report shows several 'http-vuln-cve2017-5638' findings. What does this indicate?

A.The target is vulnerable to Apache Struts2 remote code execution
B.The target is vulnerable to the Heartbleed bug in OpenSSL
C.The target is vulnerable to the Shellshock Bash vulnerability
D.The target has a SQL injection vulnerability
AnswerA

The script specifically tests for the Struts2 vulnerability that allows unauthenticated remote code execution via Content-Type headers.

Why this answer

The Nmap script 'http-vuln-cve2017-5638' specifically targets the Apache Struts2 remote code execution vulnerability (CVE-2017-5638). This vulnerability exists in the Jakarta Multipart parser used by Apache Struts2, allowing an attacker to execute arbitrary commands via crafted Content-Type headers. The presence of this finding in the scan report indicates the web server is running a vulnerable version of Apache Struts2.

Exam trap

The trap here is that candidates may confuse the CVE number or the technology name, assuming any 'http-vuln-cve' script refers to a generic web vulnerability, when in fact each script is tied to a specific software and CVE, such as Apache Struts2 for CVE-2017-5638.

How to eliminate wrong answers

Option B is wrong because the Heartbleed bug (CVE-2014-0160) is a vulnerability in OpenSSL, not Apache Struts2, and is detected by Nmap scripts like 'ssl-heartbleed', not 'http-vuln-cve2017-5638'. Option C is wrong because the Shellshock Bash vulnerability (CVE-2014-6271) affects the Bash shell and is typically exploited via CGI scripts, not through Apache Struts2's Jakarta Multipart parser, and is detected by scripts such as 'http-shellshock'.

60
MCQmedium

Refer to the exhibit. A penetration tester is reviewing a web server error log. Based on the log, what vulnerability does the tester suspect?

A.Cross-site scripting
B.SQL injection
C.Remote code execution
D.Hardcoded credentials
AnswerD

The log reveals a database connection attempt with a username and password, suggesting credentials are hardcoded in the source code.

Why this answer

Option D is correct because the warning shows that a password is being used for database connection, and the message indicates hardcoded credentials (user 'test' with a password) are present in the code. Option A (XSS) is not evident. Option B (SQL injection) is not shown.

Option C (remote code execution) is not indicated.

61
MCQmedium

During a penetration test, the tester finds that a web application is vulnerable to server-side template injection (SSTI). Which of the following payloads would be most effective to test for SSTI in an Express-based Node.js application using Handlebars?

A.{{7*7}}
B.{{7*'7'}}
C.<%= 7*7 %>
D.${7*7}
AnswerA

If SSTI is present, this will output 49.

Why this answer

In Handlebars, the expression {{7*7}} evaluates the multiplication directly, returning 49. This confirms SSTI because the server processes the template expression before rendering. Other payloads like {{7*'7'}} may cause type coercion errors or not execute in the same way, making {{7*7}} the most reliable test.

Exam trap

CompTIA often tests the distinction between server-side template syntax (Handlebars) and client-side or other framework syntaxes, so candidates mistakenly choose ERB or template literal payloads that are not processed by the server.

How to eliminate wrong answers

Option B ({{7*'7'}}) is wrong because in Handlebars, multiplying a number by a string may cause a type error or unexpected behavior, not a clean numeric result, making it less reliable for SSTI detection. Option C (<%= 7*7 %>) is wrong because this is an ERB-style tag used in Ruby or other frameworks, not in Handlebars or Express/Node.js. Option D (${7*7}) is wrong because this is JavaScript template literal syntax, which is client-side and not processed by the server-side Handlebars engine.

62
MCQmedium

A penetration tester wants to passively gather information about a target's technology stack, including web server software and frameworks. Which resource is best suited for this task without sending any packets to the target?

A.Shodan
B.Nmap with -sT scan
C.BuiltWith
D.Wappalyzer browser extension
AnswerC

BuiltWith uses historical and public data to identify technologies used by a website, making it a passive information source.

Why this answer

BuiltWith is a web-based reconnaissance tool that analyzes a target website's technology stack by examining publicly available data, such as HTTP headers, HTML source code, and JavaScript files, without sending any packets from the tester's machine. It passively gathers information about web server software, frameworks, analytics tools, and more, making it ideal for passive information gathering.

Exam trap

The trap here is that candidates may confuse passive reconnaissance with tools that appear passive from their own machine but rely on active scanning by a third-party service, like Shodan, or they may incorrectly think Nmap can be used passively when it inherently requires packet transmission.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices that actively probes and indexes banners from services, but it relies on its own active scanning infrastructure, not passive gathering from the tester's perspective; the tester does not send packets, but Shodan itself does. Option B is wrong because Nmap with -sT scan performs a TCP connect scan, which sends SYN and ACK packets to the target, making it an active scanning technique that violates the requirement of not sending any packets.

63
MCQeasy

A penetration tester wants to perform DNS brute-force enumeration to discover subdomains of a target domain. Which tool is specifically designed for this purpose?

A.nmap
B.dnsrecon
C.Wireshark
D.Hydra
AnswerB

Dnsrecon is a DNS enumeration tool that includes brute-force functionality to discover subdomains. It is specifically designed for this task.

Why this answer

B is correct because dnsrecon is a specialized DNS enumeration tool that includes a brute-force mode for discovering subdomains. It uses a wordlist to query DNS servers for common subdomain names, leveraging the DNS protocol's inherent structure to map out a target's domain hierarchy without relying on zone transfers.

Exam trap

The trap here is that candidates often confuse nmap's general DNS script (e.g., dns-brute.nse) with a dedicated tool, but the question specifically asks for a tool 'designed for this purpose,' and dnsrecon is purpose-built for DNS enumeration, whereas nmap's script is an add-on.

How to eliminate wrong answers

Option A is wrong because nmap is a network scanning tool focused on port discovery and service fingerprinting, not DNS-specific brute-force enumeration; while it can perform DNS queries via scripts, it lacks the dedicated subdomain brute-force functionality of dnsrecon. Option C is wrong because Wireshark is a packet analyzer used for capturing and inspecting network traffic, not for actively generating DNS queries to enumerate subdomains.

64
Multi-Selectmedium

A penetration tester is analyzing the results of a vulnerability scan. Which of the following findings indicate that a vulnerability is likely exploitable? (Choose two.)

Select 2 answers
A.The vulnerability is classified as 'critical' by the scanner
B.CVSS base score of 4.0
C.The vulnerability has been patched by the vendor
D.Public exploit code is available online
E.Multiple hosts share the same vulnerability
AnswersA, D

Critical severity often indicates that exploitation is likely and impact is high.

Why this answer

Option A is correct because a 'critical' classification by the scanner typically indicates a high-severity vulnerability with a CVSS base score of 9.0 or higher, which often corresponds to remotely exploitable flaws that can lead to complete compromise. Scanners like Nessus or OpenVAS assign critical severity based on factors such as attack vector, complexity, and impact, making such vulnerabilities highly likely to be exploitable in practice.

Exam trap

CompTIA often tests the distinction between vulnerability severity and exploitability, where candidates mistakenly assume a medium CVSS score (e.g., 4.0) or widespread presence (multiple hosts) implies the vulnerability is easily exploitable, ignoring that exploitability requires a working exploit or low attack complexity.

65
Matchingmedium

Match each penetration testing tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and port enumeration

Exploit development and execution

Web application security testing

Password cracking

Network packet analysis

Why these pairings

These tools are commonly used in penetration testing for specific tasks.

66
MCQmedium

A penetration tester has been given access to a network tap on a client's internal network. The tester wants to perform initial reconnaissance by identifying all live hosts and their operating systems without sending any packets that could be detected. Which technique is most appropriate?

A.Perform an ARP scan using arp-scan from a connected workstation.
B.Run Wireshark to capture traffic and analyze source IP addresses and TCP/IP stack signatures.
C.Use Nmap with the -sn flag to perform a ping sweep of the subnet.
D.Initiate a DNS zone transfer request to the internal DNS servers.
AnswerB

Wireshark (or similar tools) passively captures network traffic. Source IPs reveal active hosts, and analysis of TCP/IP parameters (e.g., TTL, window size) allows OS fingerprinting without sending any packets.

Why this answer

Option B is correct because capturing traffic with Wireshark from a network tap is entirely passive—it never injects packets into the network. By analyzing source IP addresses and TCP/IP stack signatures (e.g., TTL values, window sizes, and IP ID patterns), the tester can identify live hosts and infer their operating systems without sending any detectable traffic. This aligns perfectly with the requirement to avoid sending any packets.

Exam trap

The trap here is that candidates often assume passive techniques like packet capture cannot identify operating systems, or they mistakenly think that ARP scans and ping sweeps are 'quiet' because they use low-level protocols, forgetting that any packet injection is detectable.

How to eliminate wrong answers

Option A is wrong because an ARP scan using arp-send sends ARP request packets onto the network, which can be detected by network monitoring tools or intrusion detection systems, violating the 'no packets sent' constraint. Option C is wrong because Nmap with the -sn flag performs a ping sweep that sends ICMP echo requests, TCP SYN packets to port 443, or ARP probes (depending on privileges), all of which generate detectable network traffic.

67
Matchingmedium

Match each wireless attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Rogue AP mimicking a legitimate one

Forcing clients to disconnect from AP

Brute-forcing the WPS PIN to recover passphrase

Exploiting WPA2 handshake to decrypt traffic

Sending unsolicited messages over Bluetooth

Why these pairings

Wireless attacks are common in penetration testing of wireless networks.

68
Multi-Selecteasy

A penetration tester needs to perform initial reconnaissance on a target domain. Which of the following tools are specifically designed for domain enumeration? (Select TWO).

Select 2 answers
A.Wireshark
B.Metasploit
C.theHarvester
D.Netcat
E.recon-ng
AnswersC, E

theHarvester is designed for domain and email enumeration.

Why this answer

Options A and C are correct. TheHarvester and Recon-ng are purpose-built for domain enumeration. Metasploit is for exploitation; Netcat is a networking utility; Wireshark is for packet analysis.

69
MCQmedium

A penetration tester is conducting a vulnerability scan of a network segment that contains several legacy servers. The tester uses a commercial vulnerability scanner with default settings. The scan completes and reports a critical vulnerability on a server running an outdated version of Apache with known remote code execution. However, the tester suspects this might be a false positive because the server is behind an application-layer firewall that blocks the specific exploit. Which of the following steps should the tester take to confirm the vulnerability?

A.Rerun the scan with increased intensity to ensure the vulnerability is real
B.Ignore the finding because the vulnerability is protected by the firewall
C.Manually test the vulnerability by sending a crafted exploit payload to the server
D.Check the firewall logs to see if the scanner's traffic was blocked
AnswerC

Manual testing directly confirms whether the vulnerability is exploitable.

Why this answer

Option B is correct because manual testing is the definitive way to confirm a vulnerability. The firewall might not block all exploit attempts, or the vulnerability could be exploitable via a different vector. Option A (rerun with increased intensity) may not change the result.

Option C (check firewall logs) provides insight but does not confirm the vulnerability. Option D (ignore) is incorrect because the firewall may not be a permanent protection.

70
MCQmedium

A tester is performing a vulnerability scan against a critical production server. The client requests minimal impact on system performance. Which scan type should the tester use?

A.TCP connect scan
B.Vulnerability scan with low-thread count
C.Aggressive Nmap scan
D.Stealth SYN scan
AnswerB

Low thread count minimizes system impact while still performing the scan.

Why this answer

Option B is correct because a vulnerability scan with a low-thread count reduces the number of concurrent connections and packets sent to the target, minimizing CPU, memory, and network overhead on the production server. This directly addresses the client's requirement for minimal performance impact while still performing a legitimate security assessment. Unlike aggressive or stealth scans, this approach throttles the scan intensity to avoid service disruption.

Exam trap

The trap here is that candidates often assume 'stealth' (SYN scan) is always the safest choice for production systems, but the question specifically asks for minimal performance impact, which is controlled by scan intensity (thread count) rather than scan type alone.

How to eliminate wrong answers

Option A is wrong because a TCP connect scan completes the full three-way handshake for every port, generating a high volume of packets and stateful connections that can degrade server performance, especially on a critical production system. Option C is wrong because an aggressive Nmap scan (e.g., using -T4 or -T5 timing templates, service version detection, and OS fingerprinting) sends a high rate of probes and performs multiple concurrent tests, which can overwhelm a production server and cause latency or resource exhaustion. Option D is wrong because a stealth SYN scan, while less intrusive than a connect scan, still sends a large number of raw SYN packets in rapid succession (often with default timing), which can still cause performance degradation on a production server if not rate-limited; it does not inherently minimize impact.

71
MCQeasy

A penetration tester wants to identify all publicly accessible Amazon S3 buckets that belong to a specific organization. Which technique is most effective for passive reconnaissance?

A.Use Google dorks to search for bucket names and URLs.
B.Send DNS queries for common bucket name prefixes.
C.Use nmap to scan all AWS IP ranges for open ports.
D.Perform a DNS zone transfer on the target organization's domain.
AnswerA

Google dorking is a passive technique that leverages already indexed data to find S3 buckets without sending any traffic to the target.

Why this answer

Google dorks (e.g., site:s3.amazonaws.com "companyname") allow a penetration tester to passively discover publicly accessible S3 bucket names and URLs indexed by search engines without sending any traffic to the target organization. This technique leverages existing search engine caches, making it purely passive and highly effective for identifying misconfigured buckets that have been crawled.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse DNS queries (which are active) with passive techniques like search engine dorking, or assume that scanning IP ranges is a valid way to discover S3 buckets when in reality S3 buckets are identified by their DNS names, not by port scanning.

How to eliminate wrong answers

Option B is wrong because sending DNS queries for common bucket name prefixes (e.g., companyname-bucket.s3.amazonaws.com) is an active reconnaissance technique that generates DNS traffic and can be logged by the organization's DNS servers or AWS, violating the passive nature required. Option C is wrong because nmap scanning of AWS IP ranges is active reconnaissance that sends packets to AWS infrastructure, potentially triggering alerts, and S3 buckets are accessed via HTTPS on port 443, not by scanning for open ports on arbitrary IPs.

72
MCQmedium

A tester conducts a vulnerability scan and receives a high number of false positives. Which of the following is the BEST way to reduce false positives in subsequent scans?

A.Credentialed scanning
B.Increase scan timeout values
C.Aggressive scanning
D.Use a scan template specifically for the target OS
AnswerD

Using an OS-specific template helps the scanner interpret results more accurately, reducing false positives.

Why this answer

Option D is correct because using a scan template tailored to the target OS improves accuracy. Option A may increase false positives; Option B is aggressive; Option C increases timeouts but does not address false positives.

73
MCQmedium

During a reconnaissance phase, a penetration tester is using a tool to enumerate NetBIOS names on a target internal network. The tester issues the command 'nbtstat -A 192.168.1.100' on a Windows machine. What type of information is the tester most likely trying to obtain?

A.The operating system version and patch level
B.A list of currently open TCP ports on the remote system
C.The MAC address of the remote network interface
D.The NetBIOS name table including computer name, logged-in users, and domain
AnswerD

nbtstat -A retrieves the NetBIOS name table, which contains names associated with the system, useful for identifying roles and users.

Why this answer

The `nbtstat -A` command queries the NetBIOS name table of a remote system using its IP address. This table contains the computer name, logged-in users, and domain/workgroup information, which are critical for identifying targets and potential trust relationships during internal reconnaissance.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with `nbtstat -a` (which uses a NetBIOS name instead of an IP) or assume it returns OS details, when in fact it only returns the NetBIOS name table entries.

How to eliminate wrong answers

Option A is wrong because `nbtstat -A` does not reveal OS version or patch level; that information is typically obtained via tools like `nmap` OS fingerprinting or SMB version queries. Option B is wrong because `nbtstat` operates at the NetBIOS layer (port 137-139) and does not enumerate open TCP ports; port scanning requires tools like `nmap` or `netstat`. Option C is wrong because while NetBIOS can sometimes reveal MAC addresses via the <00> or <03> entries in the name table, the primary purpose of `nbtstat -A` is to retrieve the full NetBIOS name table, not specifically the MAC address; ARP or `getmac` would be more direct for MAC address enumeration.

74
Multi-Selecteasy

A penetration tester is gathering information using passive reconnaissance techniques. Which of the following are considered passive reconnaissance methods? (Choose two.)

Select 2 answers
A.Using nmap to scan for open ports
B.Performing a DNS brute force attack
C.Conducting a vulnerability scan with Nessus
D.Reviewing the target's social media profiles
E.Analyzing job postings for technology stack clues
AnswersD, E

Social media review does not involve direct interaction with target systems.

Why this answer

Options B and D are correct because they involve reviewing publicly available information without directly interacting with the target's systems. Option A (nmap) is active scanning. Option C (DNS brute force) sends queries.

Option E (vulnerability scan) is active.

75
MCQmedium

A penetration tester is tasked with identifying live hosts on a large subnet without generating excessive traffic. Which of the following techniques is most appropriate for efficient host discovery?

A.ARP scan
B.TCP SYN scan on port 80 and 443
C.DNS zone transfer
D.ICMP echo sweep
AnswerB

These ports are commonly open on servers; SYN scan is lightweight and effective.

Why this answer

A TCP SYN scan on ports 80 and 443 is the most appropriate technique because it targets common web service ports, which are often open on live hosts, and generates minimal traffic compared to a full port scan. Unlike ICMP or ARP scans, a TCP SYN scan can bypass firewalls that block ICMP echo requests and is effective across routed subnets where ARP is limited to the local broadcast domain. This approach balances stealth and efficiency for large-scale host discovery.

Exam trap

The trap here is that candidates often choose ICMP echo sweep (Option D) because they associate 'ping' with host discovery, but fail to consider that ICMP is frequently blocked by firewalls, making TCP SYN scans on common ports a more reliable and stealthier alternative in modern networks.

How to eliminate wrong answers

Option A is wrong because an ARP scan only works within the same local subnet (broadcast domain) and cannot discover hosts across routers, making it unsuitable for a large subnet that may span multiple networks. Option C is wrong because a DNS zone transfer is a technique for enumerating DNS records (e.g., hostnames and IPs) from a misconfigured DNS server, not for actively probing live hosts, and it relies on a vulnerable server rather than direct network scanning. Option D is wrong because an ICMP echo sweep (ping sweep) can be blocked by firewalls or rate-limited, and it generates more traffic than a targeted TCP SYN scan on two ports, making it less efficient and more detectable.

Page 1 of 2 · 103 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Information Gathering And Vulnerability Scanning questions.