CCNA Information Gathering And Vulnerability Scanning Questions

28 of 103 questions · Page 2/2 · Information Gathering And Vulnerability Scanning topic · Answers revealed

76
MCQmedium

During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?

A.OSINT (Open-Source Intelligence)
B.DNS enumeration
C.Port scanning
D.Social engineering
AnswerA

OSINT gathers information from public sources like GitHub, which can leak internal details without interacting with the target's systems.

Why this answer

The discovery of a public GitHub repository containing internal project names, server IP addresses, and database credentials is a classic example of OSINT (Open-Source Intelligence). OSINT involves collecting and analyzing publicly available information from sources like code repositories, social media, and websites to gain insights about a target without direct interaction. This technique leverages the fact that sensitive data is often inadvertently exposed in public repositories, making it a passive reconnaissance method.

Exam trap

The trap here is that candidates may confuse OSINT with active reconnaissance techniques like DNS enumeration or port scanning, failing to recognize that passive collection from public sources (like GitHub) is a distinct OSINT method.

How to eliminate wrong answers

Option B (DNS enumeration) is wrong because it specifically involves querying DNS servers to discover hostnames, IP addresses, and DNS records (e.g., A, MX, CNAME) using tools like `dnsrecon` or `nslookup`, not by analyzing code repositories. Option C (Port scanning) is wrong because it actively probes target systems for open TCP/UDP ports and services using tools like `nmap`, which requires network connectivity and is an active reconnaissance technique, not passive information gathering from public sources. Option D (Social engineering) is wrong because it relies on manipulating human behavior through phishing, pretexting, or impersonation to extract information, whereas this scenario involves finding already exposed data in a public repository without any human interaction.

77
MCQeasy

A penetration tester wants to perform a network scan that minimizes the chance of detection by an intrusion detection system (IDS). Which Nmap timing template is MOST appropriate?

A.-T0
B.-T3
C.-T5
D.-T2
AnswerA

T0 (paranoid) is the slowest template, designed to avoid detection by rate-based IDS alerts.

Why this answer

The -T0 (Paranoid) timing template is the most appropriate for minimizing detection by an IDS because it introduces extreme delays between packet transmissions (up to 5 minutes between probes) and uses a very slow scan rate. This makes the scan traffic blend into normal network noise, reducing the likelihood of triggering signature-based or anomaly-based IDS alerts that rely on detecting rapid, sequential connection attempts.

Exam trap

The trap here is that candidates often choose -T2 (Polite) thinking it is slow enough to evade detection, but they fail to recognize that -T0 is the only template specifically designed for IDS evasion with delays measured in minutes, not seconds.

How to eliminate wrong answers

Option B (-T3) is wrong because it is the default Nmap timing template, which balances speed and reliability but sends packets at a rate that is easily detectable by most IDS/IPS systems. Option C (-T5) is wrong because it is the Insane template, which uses the fastest timing (minimum delays, aggressive parallelism) and is almost guaranteed to trigger IDS alerts due to its high packet rate and obvious scan patterns. Option D (-T2) is wrong because it is the Polite template, which slows down scans to avoid overwhelming networks but still sends packets at intervals (typically 0.4 seconds) that are too aggressive for stealthy scanning and can be detected by modern IDS solutions.

78
MCQhard

A tester needs to identify all open ports on a target system behind a firewall that is blocking ICMP and dropping unsolicited SYN packets. Which of the following scanning techniques is most likely to succeed?

A.Ping sweep
B.TCP connect scan
C.FIN scan
D.UDP scan
AnswerB

Completes the three-way handshake, appearing as normal traffic.

Why this answer

A TCP connect scan (option B) completes the full three-way handshake, which is more likely to succeed against a firewall that drops unsolicited SYN packets because the firewall may allow outbound connections initiated from inside the network. Since the tester is behind the firewall, the SYN packet is sent as part of a legitimate connection attempt, and if the port is open, the target responds with SYN-ACK, completing the handshake. This technique bypasses the firewall's rule against unsolicited SYN packets because the connection appears to be initiated from the trusted side.

Exam trap

The trap here is that candidates assume a FIN scan (option C) is stealthier and will bypass firewalls, but they overlook that the firewall is dropping unsolicited packets regardless of flag combinations, making the TCP connect scan the only viable option when the tester is behind the firewall.

How to eliminate wrong answers

Option A is wrong because a ping sweep uses ICMP Echo Requests, which are explicitly blocked by the firewall, so it will not identify open ports. Option C is wrong because a FIN scan sends a packet with only the FIN flag set, which is an unsolicited packet that the firewall will drop, and it relies on RFC 793 behavior that many modern systems and firewalls do not follow. Option D is wrong because a UDP scan sends UDP packets to target ports, and the firewall dropping unsolicited SYN packets does not directly affect UDP, but the firewall may also block or rate-limit UDP traffic, and UDP scanning is inherently unreliable due to lack of consistent responses.

79
MCQhard

During a vulnerability scan of a web application, the penetration tester notices that the scanner reports a critical SQL injection vulnerability in the login parameter. However, manual testing confirms that the input is properly sanitized and the vulnerability is a false positive. Which of the following actions should the tester take to ensure accurate vulnerability identification and avoid wasting time on false positives in future scans?

A.Increase the scan intensity to ensure the vulnerability is accurately detected
B.Correlate the scanner output with manual verification and document the discrepancy
C.Modify the scanner's configuration to exclude false positive patterns
D.Ignore the finding and proceed with manual testing only
AnswerB

This ensures accurate reporting and improves future scan tuning.

Why this answer

Option B is correct because the penetration tester should correlate automated scanner output with manual verification to confirm findings, then document the discrepancy for future reference. This ensures accurate vulnerability identification by leveraging human analysis to filter false positives, which is a standard practice in PT0-002 methodology for information gathering and vulnerability scanning.

Exam trap

The trap here is that candidates may think modifying scanner configuration (Option C) is the immediate fix, but PT0-002 emphasizes documenting and correlating findings before making changes to avoid masking real vulnerabilities.

How to eliminate wrong answers

Option A is wrong because increasing scan intensity does not address false positives; it may generate more noise by sending additional payloads without improving detection accuracy, potentially overwhelming the target and wasting resources. Option C is wrong because modifying the scanner's configuration to exclude false positive patterns is premature without first documenting the discrepancy; doing so could inadvertently suppress real vulnerabilities that share similar patterns. Option D is wrong because ignoring the finding and proceeding with manual testing only disregards the value of automated scanning for efficiency and coverage, and fails to improve future scan accuracy through documentation.

80
Multi-Selecthard

During a vulnerability scan of a Linux server, the tester notices that the NMAP scan reports port 22 as filtered. Which of the following could be causing this result? (Select TWO).

Select 2 answers
A.Firewall blocking the port
B.ICMP echo requests being blocked
C.SSH service not running
D.Host is down
E.Network congestion
AnswersA, B

A firewall can return a filtered state if it drops packets without rejection.

Why this answer

Options A and E are correct. A firewall blocking the port and ICMP echo request blocking both contribute to Nmap reporting filtered. Option B would show closed; Option C would show host down; Option D is unlikely.

81
MCQhard

A penetration tester is performing internal reconnaissance on a Windows Active Directory environment. The tester has a low-privileged domain user account. Which of the following techniques is most likely to help identify all domain controllers and their IP addresses without generating excessive network traffic or alerts?

A.Perform a full subnet ping sweep using Nmap
B.Query the DNS service for SRV records of _ldap._tcp.dc._msdcs.domain.local
C.Use NetBIOS name resolution by sending broadcasts
D.Enumerate SMB shares on all IP addresses in the subnet
AnswerB

This DNS query directly retrieves the list of domain controllers. It is a normal DNS operation and unlikely to raise alerts.

Why this answer

Option B is correct because querying DNS for SRV records of _ldap._tcp.dc._msdcs.domain.local is a standard, low-noise method to discover all domain controllers in an Active Directory environment. This query leverages the automatic registration of LDAP service records by domain controllers, requiring only a single DNS lookup rather than sweeping the network, thus avoiding excessive traffic and typical security alerts.

Exam trap

The trap here is that candidates often default to active scanning techniques like Nmap ping sweeps (Option A) because they are familiar, overlooking that DNS SRV record queries are a passive, targeted, and far more efficient method for discovering domain controllers in an Active Directory environment.

How to eliminate wrong answers

Option A is wrong because a full subnet ping sweep using Nmap generates significant network traffic and is easily detected by intrusion detection systems (IDS) or endpoint protection, which is contrary to the requirement of avoiding excessive traffic or alerts. Option C is wrong because NetBIOS name resolution via broadcasts is limited to the local subnet, does not reliably discover all domain controllers across multiple subnets, and broadcasts can be noisy and logged. Option D is wrong because enumerating SMB shares on all IP addresses in the subnet is a high-traffic, noisy technique that probes each host individually, likely triggering alerts, and does not directly identify domain controllers.

82
MCQhard

A penetration tester is conducting an external assessment against a client's web application hosted on an AWS EC2 instance behind an Application Load Balancer (ALB). The tester has performed passive reconnaissance and identified the public IP of the ALB, but the web application is only accessible via a specific domain name. During active scanning, the tester runs Nmap against the public IP and only sees port 443 open. The tester then performs a DNS Zone Transfer attempt against the authoritative name servers, which fails. While reviewing the web application, the tester notices that the application sets a cookie with the path '/admin'. The tester suspects there is an internal subnet used for backend services. Which of the following techniques would be MOST effective to discover internal hostnames or IP ranges?

A.Attempt a zone transfer against a different authoritative DNS server.
B.Examine SSL certificate Subject Alternative Names (SANs) in the certificate presented by the ALB.
C.Use the AWS Metadata Service to extract information about the underlying EC2 instance.
D.Perform a ping sweep of the internal RFC 1918 addresses and look for responses.
AnswerB

Internal hostnames are often included in SANs for web servers.

Why this answer

Option D is correct because SSL certificates often include Subject Alternative Names (SANs) that list internal hostnames. Option A is impossible from outside the network; Option B requires internal access to the metadata service; Option C already failed.

83
MCQmedium

A penetration tester is using theHarvester tool to gather email addresses and subdomains for a target domain. Which source is theHarvester commonly configured to use for passive reconnaissance?

A.Shodan
B.Google search
C.DNS zone transfer
D.Social media APIs
AnswerB

Google search is a common source for theHarvester to passively collect emails and subdomains.

Why this answer

TheHarvester is a passive reconnaissance tool that collects emails, subdomains, and other data from public sources without directly interacting with the target. Google search is a primary source because theHarvester uses Google's search engine via its API or scraping to find indexed pages containing email addresses and subdomains, leveraging Google's dorking capabilities for passive data gathering.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse Shodan (a passive search engine for devices) with theHarvester's passive email/subdomain gathering, or assume DNS zone transfer is passive when it is an active query that requires direct server interaction.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices and services, used for active or passive scanning of open ports and banners, not for harvesting emails or subdomains from web content. Option C is wrong because DNS zone transfer is an active reconnaissance technique that attempts to retrieve the entire DNS zone file from a nameserver, requiring direct interaction and often failing due to security restrictions, whereas theHarvester focuses on passive methods. Option D is wrong because while social media APIs can provide user data, theHarvester's default configuration does not commonly use them; it primarily relies on search engines like Google, Bing, and Yahoo for passive email and subdomain discovery.

84
MCQhard

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to identify internal IP address ranges used by the organization without interacting directly with their network. Which of the following techniques would be most effective for this purpose?

A.Querying public BGP route databases and looking up the organization's autonomous system (AS) number
B.Performing a DNS zone transfer against the target's authoritative DNS servers
C.Using Shodan to search for devices from the target organization
D.Sending ARP requests on the local network segment to discover hosts
AnswerA

BGP databases contain announced IP prefixes for AS numbers. By finding the target's ASN, the tester can see all public IP ranges associated with the organization.

Why this answer

Querying public BGP route databases (e.g., RADB, ARIN) using the organization's AS number allows a tester to retrieve IP prefixes announced by the target. This is passive reconnaissance because it uses publicly available routing data without sending any packets to the target's network, making it ideal for identifying internal IP ranges from an external perspective.

Exam trap

CompTIA often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse DNS zone transfers (which are active and often restricted) with passive DNS lookups, or assume Shodan is always passive when it actually relies on active scanning data from the past.

How to eliminate wrong answers

Option B is wrong because a DNS zone transfer (AXFR) is an active technique that requires direct interaction with the target's authoritative DNS servers; it is not passive and often fails due to security restrictions. Option C is wrong because using Shodan involves querying a search engine that has previously scanned the target's public-facing devices, which is technically passive but relies on historical scan data and may not reveal internal IP ranges not exposed to the internet. Option D is wrong because sending ARP requests is an active, link-local discovery method that requires being on the same broadcast domain as the target, which is not passive and not feasible during external reconnaissance.

85
MCQhard

A vulnerability scanner reports a reflected XSS vulnerability in a web application. Manual testing confirms that the application HTML-encodes all user input in the response. Which scanner misconfiguration is MOST likely causing this false positive?

A.The scanner used a POST request instead of a GET request for the payload
B.The scanner's payload was reflected in a different context not subject to HTML encoding
C.The scanner used a payload with special characters that were truncated by the server
D.The scanner's payload triggered a server error that echoed back the input without encoding
AnswerD

Error messages may reflect input without encoding, leading the scanner to flag a false XSS finding.

Why this answer

Option D is correct because a server error that echoes back the unencoded input bypasses the application's normal HTML-encoding logic. In this scenario, the vulnerability scanner detects the reflected payload in the error response, which is not subject to the same encoding as the application's standard output. This creates a false positive because the reflected XSS is not exploitable through the normal application flow, but only through an error condition that the scanner inadvertently triggered.

Exam trap

CompTIA often tests the distinction between a vulnerability being present in an error response versus the normal application flow, tricking candidates into thinking any reflection of input confirms XSS without considering the response context.

How to eliminate wrong answers

Option A is wrong because the HTTP method (POST vs GET) does not affect whether input is HTML-encoded in the response; encoding is applied server-side regardless of the request method. Option B is wrong because if the payload were reflected in a different context not subject to HTML encoding, the finding would be a true positive, not a false positive. Option C is wrong because truncation of special characters would likely prevent the payload from being reflected at all, or would break the XSS vector, leading to a false negative rather than a false positive.

86
MCQeasy

A penetration tester needs to gather information about a target organization's employees and email addresses from public sources. Which passive reconnaissance tool is BEST suited for this task?

A.Nikto
B.Nmap
C.Wireshark
D.Maltego
AnswerD

Maltego excels at OSINT gathering, including email addresses and employee information.

Why this answer

Maltego is a passive reconnaissance tool that excels at gathering information from public sources, including employee names, email addresses, and organizational relationships, by querying open-source intelligence (OSINT) data such as social media, search engines, and DNS records. It uses transforms to automate data collection and link analysis, making it ideal for this task without directly interacting with the target's systems.

Exam trap

The trap here is that candidates often confuse active scanning tools (like Nikto or Nmap) with passive reconnaissance, failing to recognize that Maltego is specifically designed for OSINT gathering from public sources without sending probes to the target.

How to eliminate wrong answers

Option A is wrong because Nikto is an active web server scanner that sends HTTP requests to identify vulnerabilities, not a passive tool for gathering employee or email data from public sources. Option B is wrong because Nmap is an active network scanning tool that sends packets to discover hosts and services, which is not passive and does not collect employee or email information. Option C is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic, requiring active packet capture and not suitable for passive OSINT gathering from public sources.

87
MCQeasy

A penetration tester wants to discover subdomains of a target domain without sending any packets directly to the target's network. Which resource is most effective for this purpose?

A.DNS brute force with a wordlist
B.Certificate Transparency logs
C.WHOIS lookup
D.Traceroute
AnswerB

These logs contain issued certificates which include subdomains; they can be queried passively.

Why this answer

Certificate Transparency (CT) logs are publicly accessible, append-only ledgers that record every SSL/TLS certificate issued by a Certificate Authority (CA). Since certificates often include Subject Alternative Names (SANs) listing subdomains, querying CT logs (e.g., via crt.sh or tools like `certigo`) reveals subdomains without any direct network probes. This makes CT logs the most effective passive reconnaissance resource, as no packets are sent to the target's infrastructure.

Exam trap

CompTIA often tests the distinction between active and passive reconnaissance; the trap here is assuming DNS brute force is passive because it uses a wordlist, but it actively queries DNS servers, whereas CT logs are truly passive as they rely on publicly archived certificate data.

How to eliminate wrong answers

Option A is wrong because DNS brute force with a wordlist requires sending DNS queries to the target's authoritative name servers, which generates network traffic and directly interacts with the target's infrastructure, violating the 'no packets sent' constraint. Option C is wrong because WHOIS lookup provides registration details (e.g., registrar, admin contacts) for the domain itself, not subdomains; it relies on WHOIS servers and does not enumerate subdomains from certificate data.

88
MCQhard

A penetration tester has compromised a Windows domain-joined workstation and needs to identify all domain controllers and their IP addresses without triggering detection mechanisms. Which technique is most likely to avoid raising alerts?

A.Perform an LDAP query using ADSI to enumerate domain controllers
B.Attempt a DNS zone transfer from the internal DNS server
C.Perform an ARP scan of the subnet to identify active IP addresses
D.Use Nmap to perform a SYN scan of the entire subnet looking for Kerberos service ports
AnswerA

LDAP queries are common and legitimate domain activity, making them stealthy for internal reconnaissance.

Why this answer

Performing an LDAP query using ADSI to enumerate domain controllers is stealthy because it uses standard, authenticated Windows API calls that blend into normal domain traffic. This technique queries the directory service for the 'domainController' object class, which returns the DNS hostnames and IP addresses without generating suspicious network scans or DNS anomalies.

Exam trap

The trap here is that candidates often assume DNS zone transfers are the standard way to enumerate domain controllers, but they fail to recognize that zone transfers are typically restricted and logged, whereas LDAP queries are routine and less likely to trigger alerts.

How to eliminate wrong answers

Option B is wrong because attempting a DNS zone transfer from the internal DNS server typically requires an 'allow-transfer' ACL and generates a distinct AXFR query that is often logged and monitored by security teams, raising alerts. Option C is wrong because performing an ARP scan of the subnet sends a burst of broadcast requests that can be detected by network intrusion detection systems (NIDS) or endpoint protection platforms (EPP) as reconnaissance activity.

89
MCQmedium

A penetration tester is using Nmap to scan a target web server. The tester only wants to see which of the top 100 ports are open, but wants to minimize network traffic and time. Which Nmap command is most appropriate?

A.nmap -sS -p- target
B.nmap -sT -p 1-100 target
C.nmap -sC -p 1-1000 target
D.nmap -sV --top-ports 100 target
AnswerD

--top-ports 100 scans the most frequently open ports, minimizing traffic and time while focusing on likely candidates.

Why this answer

Option D is correct because `--top-ports 100` instructs Nmap to scan only the 100 most commonly open ports, which minimizes network traffic and time compared to scanning all ports or a large range. The `-sV` flag enables version detection, which is not strictly required but is commonly used in information gathering; however, the key factor for minimizing traffic and time is the `--top-ports` option, which uses a statistically derived list to reduce scan scope.

Exam trap

The trap here is that candidates confuse `-p 1-100` (first 100 ports numerically) with `--top-ports 100` (most commonly open ports), leading them to choose option B, which misses high-numbered common ports like 443 (HTTPS) or 8080 (HTTP-alt).

How to eliminate wrong answers

Option A is wrong because `-p-` scans all 65535 ports, which generates maximum traffic and takes the longest time, contradicting the goal of minimizing both. Option B is wrong because `-sT` performs a full TCP connect scan, which is slower and more detectable than a SYN scan, and `-p 1-100` scans only the first 100 ports numerically, not the top 100 most common ports, potentially missing open ports like 443 or 8080. Option C is wrong because `-sC` runs default NSE scripts, which adds significant traffic and time, and `-p 1-1000` scans 1000 ports, far more than the requested top 100, increasing scan duration.

90
MCQeasy

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

A.Performing a DNS zone transfer
B.Querying publicly available DNS records
C.Using Nmap to scan for DNS servers
D.Sending crafted DNS queries to the target's DNS server
AnswerB

Using public DNS resolvers to retrieve records like A, MX, or CNAME is passive and avoids direct interaction.

Why this answer

Option B is correct because querying publicly available DNS records (e.g., via passive DNS, WHOIS, or DNS dumpster) allows the tester to gather DNS information without any direct interaction with the target's servers. This technique relies on third-party databases and cached records, avoiding any packets sent to the target, which is essential for stealth during reconnaissance. It aligns with passive information gathering, as defined in the PT0-002 objectives.

Exam trap

The trap here is that candidates often confuse 'passive reconnaissance' with 'active reconnaissance' and choose a technique like DNS zone transfer or Nmap scanning, which are clearly active and detectable, because they assume any DNS enumeration must involve direct queries.

How to eliminate wrong answers

Option A is wrong because a DNS zone transfer is an active query that directly interacts with the target's authoritative DNS server, requiring the server to allow AXFR requests, which is a direct interaction and not passive. Option C is wrong because using Nmap to scan for DNS servers involves sending packets to the target's network to probe for open ports (e.g., UDP 53), which is active reconnaissance and directly interacts with the target's infrastructure.

91
Multi-Selectmedium

A penetration tester is conducting an external assessment of a target organization and wants to gather information without sending any packets that might be logged by the target's network monitoring systems. Which TWO of the following methods are considered passive reconnaissance?

Select 2 answers
A.Send spear-phishing emails to employees
B.Query the target's DNS servers using nslookup
C.Use Shodan to identify exposed services
D.Conduct WHOIS lookups on the target's domain
E.Perform a full port scan using Nmap
AnswersC, D

Shodan crawls the internet and stores publicly available information, so queries against Shodan are passive.

Why this answer

Passive reconnaissance involves collecting information from publicly available sources without directly interacting with the target's systems. WHOIS lookups and Shodan searches both rely on public databases and do not send probes to the target network. DNS queries (option D) can be logged by the target's DNS servers and are therefore active.

Port scanning (option A) and phishing emails (option C) are active techniques that directly interact with the target.

92
Multi-Selectmedium

A penetration tester is planning to perform a vulnerability scan of an internal network. Which of the following should be considered before scanning? (Choose three.)

Select 3 answers
A.Obtain written authorization from the client
B.Define the scope and rules of engagement
C.Perform the scan during peak business hours
D.Ensure the scanning tool is updated with latest signatures
E.Test all available exploit modules
AnswersA, B, D

Authorization is essential to avoid legal issues.

Why this answer

Option A is correct because written authorization from the client is a legal and ethical prerequisite before any scanning activity. Without explicit permission, the penetration tester could be liable for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA) or similar regulations, as vulnerability scanning involves sending probes that may trigger intrusion detection systems or cause unintended disruptions.

Exam trap

The trap here is that candidates confuse vulnerability scanning with exploitation, assuming that testing exploits (Option E) is part of the scan, when in fact scanning is passive detection and exploitation requires separate authorization and a different phase.

93
MCQeasy

Which of the following tools would a penetration tester most likely use to perform passive reconnaissance on a target domain?

A.Wireshark
B.Nmap
C.Metasploit
D.theHarvester
AnswerD

theHarvester is designed for passive reconnaissance by querying public sources.

Why this answer

theHarvester is a passive reconnaissance tool that gathers information from public sources such as search engines, PGP key servers, and the Shodan API without directly interacting with the target domain. It collects email addresses, subdomains, IPs, and employee names using OSINT (Open Source Intelligence) techniques, making it ideal for passive information gathering.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with active scanning tools like Nmap or Wireshark, failing to recognize that passive methods rely on publicly available data without sending any packets to the target.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects live traffic, which requires active packet sniffing on the network, not passive reconnaissance. Option B is wrong because Nmap is an active scanning tool that sends crafted packets to target hosts to discover open ports and services, generating detectable traffic. Option C is wrong because Metasploit is an exploitation framework used for active penetration testing, including payload delivery and post-exploitation, not passive information gathering.

94
MCQhard

A penetration tester is conducting vulnerability scanning on a web application that uses a Web Application Firewall (WAF). The scanner triggers a WAF block after several requests. Which of the following techniques would be MOST effective to continue scanning while evading the WAF?

A.Increase scan speed
B.Randomize request parameters and headers
C.Use HTTP/2 multiplexing
D.Perform a full TCP connect scan
AnswerB

Randomization breaks signature-based detection by varying requests.

Why this answer

Option C is correct because randomizing request parameters and headers makes it harder for the WAF to detect pattern-based scanning. Option A increases detection likelihood; Option B may not evade pattern detection; Option D is for port scanning, not web.

95
MCQmedium

A penetration tester is performing active reconnaissance on a target network. The tester wants to identify all live hosts in the 192.168.1.0/24 subnet and determine which ones have port 80 open. Which technique is most efficient for this task?

A.Perform a full TCP connect scan on all 65535 ports for each IP address.
B.Use a ping sweep to identify live hosts, then run a SYN scan on port 80 for those hosts.
C.Run a SYN scan on port 80 for every IP in the subnet without ping probing.
D.Use ARP requests to map the subnet and then check for port 80 on each host.
AnswerB

A ping sweep quickly finds responsive IPs, and then a SYN scan on only those hosts for the single port is highly efficient.

Why this answer

Option B is correct because it combines two efficient steps: first, a ping sweep (ICMP Echo Request or ARP scan) identifies live hosts in the 192.168.1.0/24 subnet, reducing the number of targets; second, a SYN scan on port 80 for only those live hosts is faster and less intrusive than scanning all ports or all IPs without prior host discovery. This approach minimizes network traffic and scan time while accurately identifying hosts with HTTP services.

Exam trap

The trap here is that candidates often choose option C, thinking that skipping ping probing saves time, but they overlook the inefficiency of scanning all 256 IPs (including many dead hosts) versus first identifying live hosts to reduce the scan scope.

How to eliminate wrong answers

Option A is wrong because performing a full TCP connect scan on all 65535 ports for each IP in a /24 subnet is highly inefficient, generating massive traffic and taking excessive time, and it does not focus on the specific goal of identifying hosts with port 80 open. Option C is wrong because running a SYN scan on port 80 for every IP in the subnet without ping probing wastes time and resources scanning inactive or non-existent hosts, and it may also trigger intrusion detection systems more aggressively due to scanning dead IPs.

96
MCQhard

Refer to the exhibit. A penetration tester finds this configuration file during an assessment. Which of the following is the most critical security concern with this configuration?

A.The bind password is stored in plaintext
B.The server name is an internal hostname
C.The use of LDAP instead of LDAPS
D.The port is non-standard
AnswerC

LDAP over SSL (LDAPS) provides encryption; without it, credentials are transmitted in clear text.

Why this answer

LDAP transmits credentials and queries in cleartext over TCP port 389, making it vulnerable to sniffing and credential theft. LDAPS (LDAP over SSL/TLS) encrypts the entire session on port 636, protecting the bind password and directory data in transit. Since the configuration uses LDAP instead of LDAPS, an attacker on the network can capture the bind password and potentially gain unauthorized access to the directory service.

Exam trap

CompTIA often tests the distinction between a static misconfiguration (like plaintext storage) and a protocol-level vulnerability (like cleartext transmission), tricking candidates into choosing the plaintext password option without recognizing that the network exposure is the more critical risk.

How to eliminate wrong answers

Option A is wrong because while the bind password is stored in plaintext in the configuration file, the question asks for the most critical security concern with this configuration, and the use of LDAP (unencrypted) exposes that password to network sniffing, making the lack of encryption a more fundamental issue. Option B is wrong because using an internal hostname is a standard practice for internal services and does not inherently introduce a security vulnerability; it only prevents external resolution, which is often desirable. Option D is wrong because a non-standard port is not inherently a security concern; it can even provide a minor degree of obscurity, but it does not address the lack of encryption or authentication protection.

97
MCQmedium

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

A.Identifying subdomains through DNS brute-forcing
B.Discovering open ports and services on public IP ranges
C.Enumerating email addresses from corporate websites
D.Extracting metadata from documents found on the target's website
AnswerB

Shodan collects banner data from services like HTTP, SSH, FTP, etc., allowing testers to see what is exposed on the internet.

Why this answer

Shodan is a search engine for internet-connected devices that scans public IP ranges and indexes the banners returned by services. Its primary use in reconnaissance is to discover open ports and running services on target IP ranges, revealing attack surface such as exposed databases, web servers, or industrial control systems. This aligns directly with the information-gathering phase of a penetration test.

Exam trap

The trap here is that candidates confuse Shodan's banner-gathering capability with active DNS enumeration or web scraping, leading them to select options that describe unrelated reconnaissance tasks.

How to eliminate wrong answers

Option A is wrong because Shodan does not perform DNS brute-forcing; that task is accomplished with tools like dnsrecon, subfinder, or Gobuster, which query DNS servers directly. Option C is wrong because Shodan indexes service banners and device metadata, not email addresses from corporate websites; email enumeration is typically done via web scraping, search engines, or tools like theHarvester.

98
MCQeasy

Which of the following tools is primarily used for enumerating subdomains via search engine queries?

A.Metasploit
B.Netcat
C.theHarvester
D.Nmap
AnswerC

theHarvester is designed for OSINT, including subdomain enumeration via search engines.

Why this answer

theHarvester is specifically designed to gather emails, subdomains, IPs, and URLs from public sources, including search engines like Google, Bing, and Yahoo. It leverages search engine APIs and scraping techniques to enumerate subdomains without directly interacting with the target infrastructure, making it the correct tool for this task.

Exam trap

The trap here is that candidates often confuse Nmap's DNS brute-force scripts (like dns-brute) with passive subdomain enumeration, but Nmap actively queries DNS servers, whereas theHarvester passively collects data from search engines without touching the target's infrastructure.

How to eliminate wrong answers

Option A is wrong because Metasploit is a penetration testing framework focused on exploit development and execution, not passive subdomain enumeration via search engines. Option B is wrong because Netcat is a networking utility for reading/writing data across TCP/UDP connections, lacking any search engine querying capability. Option D is wrong because Nmap is a network scanner that probes live hosts and services using raw packets, not a tool for passive subdomain discovery through search engine queries.

99
MCQhard

A penetration tester is tasked with performing vulnerability scanning on a target organization that uses a web application firewall (WAF) and an intrusion prevention system (IPS). The tester wants to avoid being blocked while still gathering comprehensive data. Which scanning approach is most effective?

A.Use a slow, distributed scan from multiple IP addresses with random delays
B.Perform an aggressive scan with a high thread count to complete before the WAF adapts
C.Only perform passive reconnaissance and avoid active scanning
D.Use known WAF bypass techniques for each request
AnswerA

This reduces the chance of triggering IPS/WAF alerts by mimicking normal traffic patterns and avoiding high request rates from a single source.

Why this answer

A slow, distributed scan from multiple IP addresses with random delays is most effective because it evades rate-based detection mechanisms in WAFs and IPSs. By spreading the scan across many sources and introducing jitter, the traffic appears as normal user activity rather than a coordinated attack, allowing comprehensive data collection without triggering blocks.

Exam trap

The trap here is that candidates assume a fast, aggressive scan will 'beat' the WAF/IPS before it adapts, but in reality these systems use real-time rate limiting and signature detection that will block the source IP almost immediately, making the slow distributed approach the only viable option.

How to eliminate wrong answers

Option B is wrong because an aggressive scan with a high thread count will rapidly generate a high volume of requests, which WAFs and IPSs are specifically designed to detect and block as a denial-of-service or scanning pattern, likely resulting in the tester being blocked before completion. Option C is wrong because passive reconnaissance alone cannot gather comprehensive vulnerability data such as open ports, service versions, or missing patches, which require active probing to identify.

100
MCQmedium

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

A.Performing a zone transfer against the target's DNS servers
B.Searching for the target's SSL certificates in Certificate Transparency logs
C.Using Nmap to scan common ports on the target's public IP range
D.Querying the target's WHOIS records for IP addresses
AnswerB

Certificate Transparency logs are public and can be queried without contacting the target. They often expose subdomains that may not be publicly listed elsewhere.

Why this answer

Certificate Transparency (CT) logs are publicly accessible, append-only ledgers of SSL/TLS certificates. By searching CT logs for certificates issued to the target organization, a penetration tester can discover subdomains, hostnames, and even internal-facing server names that are included in Subject Alternative Names (SANs) or Common Names (CNs). This reveals internal network architecture details (e.g., 'mail.internal.example.com') without any direct interaction with the target's systems, making it a purely passive reconnaissance technique.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-interaction techniques like WHOIS lookups or zone transfers, not realizing that zone transfers and Nmap scans are active techniques that directly interact with the target's systems, while Certificate Transparency logs are a purely passive, third-party data source.

How to eliminate wrong answers

Option A is wrong because performing a zone transfer against the target's DNS servers is an active technique that directly interacts with the target's infrastructure; it sends a DNS query (AXFR) to the target's nameserver, which may be logged or blocked. Option C is wrong because using Nmap to scan common ports on the target's public IP range is an active scanning technique that sends packets to the target's systems, generating network traffic and potentially triggering intrusion detection systems. Option D is wrong because querying the target's WHOIS records for IP addresses provides only registration and administrative contact information, not internal network architecture details such as subdomains or hostnames.

101
MCQmedium

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to gather information about the target's technology stack, including web server software and frameworks, without directly interacting with the target systems. Which technique is most effective?

A.Running Nmap with the -A flag against the target's public IP range
B.Using theHarvester to search for email addresses and subdomains
C.Querying public records with BuiltWith
D.Performing a DNS zone transfer
AnswerC

BuiltWith uses public data and DNS records to profile the technologies used by a website, including web servers, frameworks, and analytics tools, all without sending any traffic to the target.

Why this answer

BuiltWith is a passive reconnaissance tool that queries public web data and DNS records to identify a target's technology stack, such as web server software (e.g., Apache, Nginx) and frameworks (e.g., React, Django), without sending any packets to the target's systems. This makes it ideal for passive information gathering, as it relies on third-party databases and cached information rather than direct interaction.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with low-interaction active tools like Nmap's -A flag, failing to recognize that any direct network probing constitutes active reconnaissance, even if it's just a single scan.

How to eliminate wrong answers

Option A is wrong because running Nmap with the -A flag performs active reconnaissance by sending probes directly to the target's IP range, which can be detected by intrusion detection systems and violates the passive requirement. Option B is wrong because theHarvester focuses on gathering email addresses and subdomains from search engines and public sources, not on identifying the technology stack like web server software or frameworks.

102
MCQmedium

A penetration tester is analyzing the results of a vulnerability scan against a web application. The scanner reports a potential SQL injection vulnerability in a login form parameter. However, manual testing with the same payload does not produce any error messages or changes in behavior. Which of the following is the most likely reason for the false positive?

A.The scanner used a payload that was not URL-encoded
B.The web application is using a parameterized query that sanitizes input
C.The scanning engine is outdated and does not support the latest SQL syntax
D.The login form is protected by a CAPTCHA that blocks automated scanning
AnswerB

Parameterized queries separate SQL logic from data, preventing injection even if input appears malicious. The scanner may have flagged based on the payload string, but the application handled it safely.

Why this answer

Option B is correct because the use of parameterized queries (prepared statements) separates SQL logic from user input, preventing SQL injection even if the input contains malicious payloads. The scanner's payload triggered a false positive because the application's database layer safely handles the input, so no error or behavioral change occurs during manual testing.

Exam trap

The trap here is that candidates often assume a vulnerability scanner's report is always accurate and overlook the possibility of false positives due to input handling mechanisms like parameterized queries, instead focusing on payload encoding or scanner version issues.

How to eliminate wrong answers

Option A is wrong because URL-encoding is a standard practice for transmitting special characters in HTTP requests; if the scanner's payload were not URL-encoded, the web server would likely reject or truncate the request, not produce a false positive. Option C is wrong because an outdated scanning engine might miss new SQL syntax or produce false negatives, but it would not cause a false positive; the scanner reported a vulnerability that manual testing disproves, which is a false positive, not a false negative.

103
MCQmedium

A penetration tester wants to identify hosts on a network that are running web servers on any TCP port, including non-standard ports. Which Nmap command is most efficient for this task?

A.nmap -sV -p- target
B.nmap -sC -p 80,443 target
C.nmap -O -p- target
D.nmap -sT -p 8000,8080 target
AnswerA

This scans all TCP ports and performs service detection, making it possible to identify web servers running on any port.

Why this answer

Option A is correct because `-sV` enables version detection to identify web server software, and `-p-` scans all 65535 TCP ports, including non-standard ones. This combination efficiently discovers web servers on any port without unnecessary overhead like OS detection or default script scanning.

Exam trap

The trap here is that candidates often choose `-sC` (default scripts) thinking it checks for web servers, but it only runs on the specified ports and doesn't detect services on non-standard ports.

How to eliminate wrong answers

Option B is wrong because `-sC` runs default scripts but only scans ports 80 and 443, missing non-standard ports. Option C is wrong because `-O` performs OS detection, which is irrelevant for identifying web servers, and `-p-` alone doesn't enable service detection. Option D is wrong because `-sT` is a full TCP connect scan limited to ports 8000 and 8080, ignoring the vast majority of potential web server ports.

← PreviousPage 2 of 2 · 103 questions total

Ready to test yourself?

Try a timed practice session using only Information Gathering And Vulnerability Scanning questions.