CCNA Ptp Recon Scanning Questions

75 of 108 questions · Page 1/2 · Ptp Recon Scanning topic · Answers revealed

1
MCQeasy

A penetration tester wants to query Certificate Transparency logs to find all SSL/TLS certificates issued for a target domain, which may reveal subdomains. Which tool or website is specifically designed for this purpose?

A.crt.sh
B.Censys
C.Let's Encrypt
D.Shodan
AnswerA

crt.sh queries Certificate Transparency logs for certificates.

Why this answer

crt.sh is a website that queries Certificate Transparency logs and returns certificates for a domain, often revealing subdomains. Shodan and Censys also provide certificate data but crt.sh is focused on CT logs. Let's Encrypt is a CA, not a log query tool.

2
MCQeasy

Which tool is specifically designed for scanning WordPress websites to detect vulnerabilities, such as outdated plugins, themes, and weak passwords?

A.OpenVAS
B.Nikto
C.WPScan
D.Nessus
AnswerC

WPScan is made specifically for WordPress security assessments.

Why this answer

WPScan is a dedicated WordPress security scanner that enumerates WordPress-specific vulnerabilities, including outdated plugins, themes, and weak passwords via XML-RPC brute-force testing. It uses the WordPress vulnerability database (wpvulndb.com) to match installed versions against known CVEs, making it the correct tool for this targeted task.

Exam trap

The trap here is that candidates often confuse general web vulnerability scanners (like Nikto or OpenVAS) with a CMS-specific tool, assuming any scanner can perform WordPress vulnerability detection, but only WPScan is purpose-built for WordPress enumeration and exploitation.

How to eliminate wrong answers

Option A is wrong because OpenVAS is a general-purpose vulnerability scanner that covers a wide range of systems and services, but it lacks WordPress-specific enumeration capabilities like theme/plugin version detection and password brute-forcing via XML-RPC. Option B is wrong because Nikto is a web server scanner that checks for common misconfigurations and outdated server software, but it does not perform WordPress-specific scans such as plugin vulnerability checks or user enumeration. Option D is wrong because Nessus is a comprehensive vulnerability scanner for networks and operating systems, but it is not designed for WordPress-specific scanning and does not include dedicated checks for WordPress plugin/theme versions or weak password attacks.

3
MCQmedium

A tester is scanning a target network using Nmap. The client wants minimal disruption and asks to avoid completing TCP three-way handshakes. Which scan type should the tester use?

A.TCP connect scan (-sT)
B.UDP scan (-sU)
C.SYN scan (-sS)
D.Ping sweep (-sn)
AnswerC

SYN scan sends SYN, receives SYN/ACK, then sends RST, never completing the handshake.

Why this answer

A SYN scan (nmap -sS) sends SYN packets and analyzes responses without completing the handshake, making it stealthier than a full connect scan.

4
Multi-Selecthard

A penetration tester is analyzing a web application's JavaScript files for hardcoded secrets and API endpoints. Which THREE techniques or tools are MOST effective for this purpose? (Select THREE.)

Select 3 answers
A.Using LinkFinder to extract endpoints from JavaScript
B.Using Wappalyzer to identify frameworks
C.Using SecretFinder to search for API keys and secrets
D.Using Gobuster to bruteforce directories
E.Manually examining JavaScript source files
AnswersA, C, E

Correct. LinkFinder parses JS files for URLs and endpoints.

Why this answer

LinkFinder is a Python tool specifically designed to extract API endpoints and URLs from JavaScript files by parsing the JS content and using regular expressions to identify potential endpoints. This makes it highly effective for discovering hidden or undocumented API routes that may be exposed in client-side code.

Exam trap

Cisco often tests the distinction between tools that passively extract information from existing files (LinkFinder, SecretFinder) versus tools that actively bruteforce or fingerprint server-side resources (Gobuster, Wappalyzer), leading candidates to select tools that serve different phases of the penetration test.

5
MCQeasy

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following tools is specifically designed for gathering OSINT by extracting email addresses, subdomains, and employee names from public sources?

A.Nikto
B.WPScan
C.Nmap
D.theHarvester
AnswerD

theHarvester is designed for passive OSINT collection of emails, subdomains, and names from public sources.

Why this answer

theHarvester is a popular OSINT tool used to gather emails, subdomains, IPs, and employee names from public sources like search engines, PGP key servers, and social networks.

6
MCQmedium

During a penetration test, you are asked to discover all live hosts on a subnet without generating excessive traffic or being too intrusive. Which Nmap command best achieves this goal?

A.nmap -O 192.168.1.0/24
B.nmap -sn 192.168.1.0/24
C.nmap -A 192.168.1.0/24
D.nmap -sS 192.168.1.0/24
AnswerB

-sn performs host discovery only (ping sweep) without port scanning, meeting the requirement.

Why this answer

Option B is correct because the `-sn` flag (ping scan) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests to discover live hosts without performing port scans or service detection, minimizing traffic and intrusiveness. This meets the requirement of discovering all live hosts on a subnet efficiently.

Exam trap

The trap here is that candidates often confuse `-sn` (ping scan) with `-sS` (SYN scan), assuming that a stealth scan is less intrusive, but `-sS` actually probes ports and generates more traffic, while `-sn` only checks for host liveness without port scanning.

How to eliminate wrong answers

Option A is wrong because `-O` performs OS detection, which requires active port scanning and generates more traffic, making it intrusive and not suitable for a low-traffic discovery goal. Option C is wrong because `-A` enables aggressive scanning (OS detection, version detection, script scanning, traceroute), which generates excessive traffic and is highly intrusive. Option D is wrong because `-sS` performs a SYN stealth scan that probes open ports on each host, generating significant traffic and being more intrusive than a simple ping sweep.

7
MCQmedium

A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools would be BEST suited to gather information about the organization's domain names, email addresses, and subdomains from publicly available sources without directly interacting with the target's systems?

A.Nmap
B.theHarvester
C.Nessus
D.Metasploit
AnswerB

theHarvester performs passive OSINT collection of emails, subdomains, and hostnames.

Why this answer

theHarvester is designed for passive OSINT gathering of emails, subdomains, IPs, etc. Maltego is also OSINT but more graph-oriented; theHarvester is specifically for email/subdomain enumeration.

8
Multi-Selecthard

A penetration tester is performing active reconnaissance on a target network and wants to use Nmap to identify operating systems and run default scripts against discovered services. Which two Nmap options should the tester include? (Choose TWO.)

Select 2 answers
A.-sV
B.-O
C.-A
D.-sS
E.-sC
AnswersB, E

Enables OS detection.

Why this answer

-O enables OS detection, and -sC runs default scripts. -sV is version detection, -sS is SYN scan, -A includes all but is not necessary if only OS and scripts are needed.

9
MCQeasy

During a penetration test, the tester wants to identify live hosts on a network without performing a full port scan. Which Nmap command is most appropriate for this task?

A.nmap -A 192.168.1.0/24
B.nmap -O 192.168.1.0/24
C.nmap -sS 192.168.1.0/24
D.nmap -sn 192.168.1.0/24
AnswerD

-sn performs a ping sweep to identify live hosts without port scanning.

Why this answer

The -sn flag in Nmap performs a ping sweep (host discovery) without port scanning, sending ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default.

10
MCQeasy

During a penetration test, the tester wants to gather information about the target organization's domain registration and contact details without sending any traffic to the target. Which OSINT source should the tester use first?

A.Shodan
B.crt.sh
C.WHOIS
D.Censys
AnswerC

WHOIS provides domain registration details and contact information passively.

Why this answer

WHOIS lookups provide registration details for domains, including administrative contacts, name servers, and expiration dates, without sending traffic to the target. Shodan searches for internet-connected devices, Censys provides certificates and host information, and crt.sh shows certificate transparency logs.

11
MCQhard

During a penetration test, the tester runs a DNS zone transfer attempt against a target domain. The zone transfer fails. What is the most likely reason?

A.The DNS server is configured to deny zone transfers from unauthorized hosts
B.The DNS server is offline
C.The tester used the wrong tool
D.The domain does not exist
AnswerA

Most DNS servers restrict zone transfers to authorized secondaries.

Why this answer

DNS zone transfers are typically restricted by default to authorized secondary DNS servers only. Misconfigured DNS servers might allow zone transfers from any host, but it's uncommon. The failure is likely due to security restrictions.

The authoritative server is not necessarily offline, and the domain might not exist otherwise.

12
MCQmedium

During a penetration test, you want to perform a stealthy port scan that minimizes the chance of being logged by the target. Which Nmap option should you use?

A.-sU
B.-sV
C.-sT
D.-sS
AnswerD

SYN scan is half-open and less likely to be logged.

Why this answer

SYN scan (-sS) is considered stealthy because it does not complete the TCP handshake, reducing the likelihood of being logged compared to a full connect scan.

13
MCQmedium

During a penetration test, you need to gather information about a target's email addresses and employee names without directly interacting with the target's systems. Which tool is most appropriate for this passive reconnaissance task?

A.Shodan
B.Censys
C.Maltego
D.theHarvester
AnswerD

theHarvester is designed to gather emails, subdomains, and names from public sources.

Why this answer

theHarvester is an OSINT tool designed to gather emails, subdomains, IPs, and employee names from public sources like search engines and social media. Maltego is more for relationship mapping, Shodan for internet-facing devices, and Censys for certificate and network data.

14
MCQhard

During a penetration test, you want to discover API endpoints and hidden parameters in a web application. Which tool combination is most effective for this task?

A.Wappalyzer and curl
B.WhatWeb and theHarvester
C.Gobuster and Nikto
D.Arjun and ffuf
AnswerD

Arjun is for parameter discovery; ffuf can bruteforce parameters and endpoints.

Why this answer

Arjun is specifically designed for parameter discovery, while ffuf can be used to bruteforce both directories and parameters. Together they effectively find API endpoints and parameters. gobuster is for directory/file enumeration, not specifically for parameters.

15
MCQeasy

A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools would be BEST for discovering subdomains and email addresses associated with the target domain without sending any packets to the target?

A.WPScan
B.Nmap
C.snmpwalk
D.theHarvester
AnswerD

Correct. It gathers OSINT data passively.

Why this answer

theHarvester is an OSINT tool that collects emails, subdomains, IPs, and URLs from public sources like search engines and PGP key servers without interacting with the target network.

16
MCQmedium

While performing vulnerability scanning, a penetration tester runs a Nessus scan against a web server. The report shows a 'critical' finding, but after manual verification, the tester determines the service is not actually vulnerable. This scenario best describes:

A.A false negative
B.A configuration error
C.A false positive
D.A true positive
AnswerC

The scanner flagged a vulnerability that manual testing proved not present, so it's a false positive.

Why this answer

A false positive is when a scanner reports a vulnerability that does not actually exist. Penetration testers must verify scanner findings to avoid reporting false positives.

17
Multi-Selecthard

A penetration tester is conducting active reconnaissance on a target network and wants to enumerate SNMP information. Which TWO of the following tools or commands can be used to query SNMP data from network devices? (Select TWO.)

Select 2 answers
A.WPScan
B.snmpwalk
C.nmap with snmp scripts
D.dig
E.tcpdump
AnswersB, C

snmpwalk is used to retrieve SNMP information from devices.

Why this answer

snmpwalk is a standard SNMP tool to retrieve a subtree of MIB data, and nmap can be used with SNMP scripts to enumerate information.

18
MCQhard

During a penetration test, the tester runs an Nmap scan with the -sV option and gets a result showing 'Apache httpd 2.4.49'. This version is known to be vulnerable to a path traversal attack. Which of the following best describes the next step the tester should take?

A.Ignore it because Nmap version detection is unreliable.
B.Attempt to exploit the vulnerability using a known exploit.
C.Report the vulnerability immediately.
D.Move on to other targets since the vulnerability is well-known.
AnswerB

Verification through exploitation (with caution) confirms the vulnerability and provides evidence.

Why this answer

After identifying a potentially vulnerable service, the tester should verify the vulnerability by attempting exploitation in a controlled manner to avoid false positives.

19
MCQmedium

A penetration tester is performing SNMP enumeration on a target network. Which command would likely be used to extract information from a device with the community string 'public'?

A.snmpget -v 2c -c public target_ip
B.snmpwalk -v 2c -c public target_ip
C.snmpset -v 2c -c public target_ip
D.snmpbulkwalk -v 2c -c public target_ip
AnswerB

This command uses SNMP version 2c with the 'public' community string to walk the MIB tree and retrieve information.

Why this answer

snmpwalk is a standard tool for retrieving a subtree of SNMP MIB data, often used for enumeration with the -v 2c version and -c community string.

20
MCQhard

You are performing a vulnerability scan on a web application and notice that the scanner reports a high-severity SQL injection vulnerability. However, manual testing confirms that the input is properly sanitized. Which term best describes this situation?

A.False negative
B.True positive
C.Inconclusive
D.False positive
AnswerD

A false positive is an incorrect alert of a vulnerability that is not present.

Why this answer

A false positive occurs when a scanner incorrectly identifies a vulnerability that does not exist. This is common in automated vulnerability scanning and requires manual verification.

21
MCQhard

A penetration tester is tasked with performing an authenticated vulnerability scan of a Windows network. The tester has domain admin credentials. Which tool is most appropriate for this task?

A.Nikto
B.Nmap
C.theHarvester
D.Nessus
AnswerD

Nessus supports authenticated scans with credentials, allowing thorough vulnerability assessment of Windows systems.

Why this answer

Nessus supports authenticated scanning using credentials (e.g., domain admin) to perform deep vulnerability assessment of Windows systems, including missing patches and insecure configurations.

22
Multi-Selecteasy

A penetration tester wants to perform passive reconnaissance on a target organization. Which two activities are considered passive reconnaissance? (Choose TWO.)

Select 2 answers
A.Searching Pastebin for leaked credentials
B.Sending SNMP queries to a network device
C.Scanning ports with Nmap
D.Performing a DNS zone transfer attempt
E.Using crt.sh to view SSL certificates
AnswersA, E

Passive: searching public data without target interaction.

Why this answer

Option A is correct because searching Pastebin for leaked credentials involves collecting information from publicly accessible sources without directly interacting with the target's systems. This is a classic passive reconnaissance technique, as it relies on third-party data and does not generate any network traffic to the target organization.

Exam trap

The trap here is that candidates often confuse 'publicly available information' with 'active probing'—for example, assuming that querying crt.sh or Pastebin is active because it involves a web request, when in fact it is passive because the request goes to a third-party service, not the target's own systems.

23
Multi-Selectmedium

A penetration tester is conducting a web application reconnaissance and wants to discover API endpoints and hidden parameters. Which three tools are most appropriate for this task? (Choose THREE.)

Select 3 answers
A.ffuf
B.Wappalyzer
C.Arjun
D.Gobuster
E.Whatweb
AnswersA, C, D

ffuf can be used for parameter and endpoint brute forcing.

Why this answer

ffuf (Fuzz Faster U Fool) is a high-performance fuzzing tool used to discover API endpoints and hidden parameters by brute-forcing URLs, headers, and POST data. It supports wordlist-based fuzzing and can be used to enumerate RESTful API paths by replacing placeholders in the target URL, making it ideal for web application reconnaissance.

Exam trap

The trap here is that candidates may confuse technology fingerprinting tools (Wappalyzer, Whatweb) with active discovery tools, or forget that Gobuster's directory brute-force mode is valid for API endpoint discovery, not just web directories.

24
MCQmedium

You are performing a network scan and need to identify live hosts on a subnet without triggering firewalls that block ICMP. Which technique should you use?

A.ARP scan with arp-scan
B.Ping sweep with nmap -sn
C.TCP SYN ping with nmap -PS
D.UDP scan with nmap -sU
AnswerA

ARP operates at Layer 2 and is not blocked by firewalls on the same subnet.

Why this answer

Using ARP scan (arp-scan) works on local networks and does not rely on ICMP, making it effective even when ICMP is blocked. It sends ARP requests and listens for replies.

25
MCQmedium

You are conducting a penetration test and need to identify subdomains of a target domain using a passive approach that does not generate traffic to the target's servers. Which technique should you use?

A.Certificate transparency logs
B.DNS cache snooping
C.Subdomain bruteforce with gobuster
D.DNS zone transfer
AnswerA

Certificate transparency logs are public and passive to query.

Why this answer

Certificate transparency logs (e.g., crt.sh) are public logs of SSL/TLS certificates, often containing subdomain names. Querying them is passive and does not interact with the target.

26
MCQhard

During a penetration test, a tester uses the Wayback Machine to review historical versions of the target's website. What is the primary benefit of this activity?

A.It reveals old web pages that may contain sensitive information or forgotten endpoints
B.It bypasses the target's WAF
C.It provides real-time vulnerability data
D.It performs a live vulnerability scan
AnswerA

Historical archives can uncover deprecated files, configuration details, or credentials that were accidentally exposed in the past.

Why this answer

The Wayback Machine archives historical snapshots of web pages, which can reveal old files, endpoints, or sensitive information that may have been removed but are still accessible on the live site.

27
Multi-Selectmedium

A penetration tester is conducting passive reconnaissance and wants to gather information about a target organization's employees, email addresses, and internal structure. Which TWO tools are best suited for this purpose? (Select TWO.)

Select 2 answers
A.Maltego
B.Gobuster
C.Nmap
D.theHarvester
E.Nikto
AnswersA, D

Maltego can transform data from multiple OSINT sources to reveal relationships and employee info.

Why this answer

Maltego is a data mining tool that visualizes relationships and can collect info from social media, DNS, and other sources. theHarvester gathers emails, subdomains, and names from public sources. LinkedIn is also used for organizational chart mapping, but the question asks for tools specifically.

28
Multi-Selecthard

You are performing reconnaissance on a target's web application. Which of the following techniques can be used to discover hidden directories and files? (Select THREE.)

Select 3 answers
A.Using feroxbuster
B.Using dirsearch with a common wordlist
C.Running Nikto with default options
D.Using gobuster in dir mode
E.Querying theHarvester
AnswersA, B, D

feroxbuster is a recursive directory bruteforcer.

Why this answer

Directory bruteforce tools like dirsearch, gobuster, and feroxbuster are designed to discover hidden directories and files by using wordlists. Nikto is a vulnerability scanner, not primarily for directory discovery. theHarvester is for email/subdomain harvesting.

29
MCQmedium

While performing vulnerability scanning with Nessus, a penetration tester notices that several high-severity vulnerabilities are reported for a web server, but manual verification shows the server is not vulnerable. What is the MOST likely cause of this discrepancy?

A.The scanner used unauthenticated scans, missing the actual vulnerabilities
B.The scanner configuration excluded necessary plugins for accurate testing
C.The target server is behind a load balancer that modifies responses
D.The scanner is reporting false positives due to inaccurate version detection
AnswerD

Correct. Version-based detection can be unreliable.

Why this answer

Nessus performs version-based detection by analyzing server banners and HTTP response headers. If the web server's software version string is outdated or misconfigured, the scanner may flag vulnerabilities that do not actually exist in the patched or custom-compiled version. This is a classic false positive scenario where the scanner relies on version matching rather than actual exploit verification.

Exam trap

The trap here is that candidates often assume high-severity findings must be real, or they confuse false positives with missed vulnerabilities due to authentication or plugin issues.

How to eliminate wrong answers

Option A is wrong because unauthenticated scans typically reduce visibility and may miss vulnerabilities, but they do not cause false positives; in fact, they more often lead to false negatives. Option B is wrong because excluding necessary plugins would reduce the number of findings, not generate high-severity false positives. Option C is wrong because a load balancer modifies traffic distribution and may affect response headers, but it does not cause Nessus to report vulnerabilities that are not present; the scanner still sees the actual server response.

30
MCQmedium

During a penetration test, the tester wants to gather information about a target using publicly available DNS records, including mail servers, name servers, and possibly TXT records. Which type of DNS query would be most useful for obtaining a comprehensive list of these records?

A.NS record query
B.MX record query
C.AXFR zone transfer request
D.A record query
AnswerC

AXFR attempts to retrieve all DNS records in a zone.

Why this answer

An AXFR (zone transfer) request is the correct choice because it retrieves the entire DNS zone file from a name server, which includes all record types (A, AAAA, MX, NS, TXT, etc.) for a domain. This provides a comprehensive list of publicly available DNS records, making it ideal for information gathering during a penetration test. In contrast, specific queries like NS or MX only return a single record type, limiting the scope of enumeration.

Exam trap

The trap here is that candidates may confuse a single-record-type query (like NS or MX) with a comprehensive enumeration method, overlooking that AXFR is the only option that retrieves all DNS records in one request.

How to eliminate wrong answers

Option A is wrong because an NS record query only returns the authoritative name servers for the domain, not the full set of DNS records. Option B is wrong because an MX record query only returns mail exchange servers, omitting other critical records like TXT or A records. Option D is wrong because an A record query only returns IPv4 addresses for a given hostname, failing to provide a comprehensive view of the domain's DNS infrastructure.

31
MCQeasy

During the information gathering phase, a penetration tester uses Google dorks to find exposed documents on a target's website. Which Google dork would be most appropriate to find PDF files containing sensitive information?

A.filetype:pdf
B.inurl:admin
C.site:target.com password
D.intitle:index.of
AnswerA

filetype:pdf limits results to PDF files.

Why this answer

The filetype:pdf dork restricts results to PDF files. Other dorks target different file types or content.

32
Multi-Selecteasy

A penetration tester is performing web application reconnaissance. The tester wants to discover hidden directories and files, identify the technologies used, and find API endpoints. Which THREE of the following tools are best suited for these tasks?

Select 3 answers
A.Gobuster
B.ffuf
C.Nikto
D.Burp Suite
E.Wappalyzer
AnswersA, B, E

Gobuster excels at directory/file brute-forcing.

Why this answer

Gobuster is a tool that performs directory/file brute-forcing using wordlists, making it ideal for discovering hidden directories and files. It can also be used to enumerate DNS subdomains and virtual hosts, directly supporting the task of finding hidden resources on a web server.

Exam trap

The trap here is that candidates may confuse Nikto's vulnerability scanning with directory enumeration, or think Burp Suite is a dedicated discovery tool rather than a multi-purpose proxy, leading them to select options that are not specifically designed for brute-forcing hidden directories and files.

33
Multi-Selectmedium

A penetration tester is conducting passive reconnaissance against a target organization. Which TWO of the following techniques would be most appropriate for gathering information about the organization's infrastructure and employees without directly interacting with the target's systems?

Select 2 answers
A.Using DNS enumeration tools like nslookup or dig
B.Querying Shodan for open ports on the target's IP range
C.Performing WHOIS lookups to find domain registration details
D.Searching LinkedIn for employee profiles and organizational structure
E.Reviewing the target's website on Netcraft
AnswersC, D

WHOIS lookups are passive and can reveal organizational details.

Why this answer

WHOIS queries and LinkedIn searches are passive techniques that do not interact with the target's systems. Shodan queries (A) and DNS lookups (C) can be passive if using cached data, but they often involve direct queries to services that may log the tester's IP; however, WHOIS and LinkedIn are clearly passive. Netcraft (D) can be passive but is less common for employee info.

The best two are B and E.

34
MCQeasy

A penetration tester is performing a vulnerability scan on a web server using Nikto. After the scan, the tester notices several findings related to outdated software versions and missing security headers. What should the tester do to validate the findings and reduce false positives?

A.Ignore findings related to missing headers as low priority
B.Manually verify a subset of the findings
C.Increase the scan intensity to get more details
D.Accept all findings as true since Nikto is a reliable tool
AnswerB

Manual verification confirms the presence of vulnerabilities.

Why this answer

Manually verifying findings is the best practice to confirm if they are real vulnerabilities or false positives. Relying on scanner output alone is insufficient.

35
MCQhard

A penetration tester is analyzing a web application and wants to discover hidden API endpoints by brute-forcing common paths. Which tool is best suited for this task?

A.WPScan
B.Feroxbuster
C.theHarvester
D.Nikto
AnswerB

Feroxbuster is designed for brute-forcing web content including API endpoints.

Why this answer

Feroxbuster is a fast, recursive content discovery tool that supports wordlist-based brute-forcing of directories, files, and API endpoints, with automatic recursion.

36
MCQmedium

A penetration tester is using Shodan to identify internet-facing devices associated with a target organization. Which of the following is Shodan's primary function in the context of passive reconnaissance?

A.Analyzing malware samples
B.Exploiting vulnerabilities in IoT devices
C.Searching for devices and services exposed to the internet
D.Performing live port scans on target IPs
AnswerC

Shodan indexes banners and allows searching for specific devices.

Why this answer

Shodan is a search engine for internet-connected devices, providing information about services and banners. It does not perform active scans itself; it indexes data from active scanning.

37
MCQeasy

Which Nmap scan type sends SYN packets to determine open ports without completing the TCP three-way handshake?

A.-sU
B.-sS
C.-sT
D.-sN
AnswerB

SYN scan uses SYN packets and does not complete the handshake.

Why this answer

The SYN scan (-sS) sends a SYN packet and if a SYN/ACK is received, the port is considered open; it does not complete the handshake, making it stealthier than a full connect scan.

38
Multi-Selecteasy

You are conducting passive reconnaissance on a target organization. Which of the following are examples of passive reconnaissance techniques? (Select TWO.)

Select 2 answers
A.Querying certificate transparency logs
B.DNS zone transfer
C.Scanning ports with Nmap
D.Sending phishing emails
E.Performing a WHOIS lookup
AnswersA, E

Certificate logs are public and queried without contacting the target.

Why this answer

Passive reconnaissance involves collecting information without directly interacting with the target's systems. WHOIS lookups and certificate transparency logs are passive. DNS zone transfer and port scanning are active.

Social engineering is active.

39
Multi-Selectmedium

During a penetration test, you need to enumerate SNMP information from network devices. Which of the following tools or commands can be used for SNMP enumeration? (Select TWO.)

Select 2 answers
A.snmpwalk
B.nmap -sU
C.onesixtyone
D.curl
E.snmp-check
AnswersA, C

snmpwalk is used to retrieve a subtree of management values via SNMP.

Why this answer

snmpwalk is a classic tool to walk through the SNMP MIB tree. onesixtyone is a tool for brute-forcing SNMP community strings. nmap can also be used with scripts, but snmp-check is a specific tool. snmpwalk and onesixtyone are direct SNMP enumeration tools.

40
MCQhard

A penetration tester is conducting active reconnaissance and wants to perform a SYN scan on a target network. During the scan, the tester notices that some ports are reported as filtered. What does a filtered port status typically indicate in Nmap?

A.The port is closed and the target responded with a RST packet.
B.The port is open but no service is listening.
C.The target is not responding to any probes.
D.A firewall is blocking the probe packets.
AnswerD

Filtered ports typically result from firewall rules dropping or rejecting packets, preventing Nmap from determining the port state.

Why this answer

Filtered ports in Nmap indicate that a firewall, packet filter, or other network obstacle is blocking the probe packets, preventing Nmap from determining whether the port is open or closed.

41
MCQhard

A penetration tester is performing internal network scanning and wants to identify live hosts on a local subnet without sending IP packets. Which method is most effective in a switched Ethernet environment?

A.TCP SYN scan to common ports
B.Nmap ping sweep with -sn
C.arp-scan
D.SNMP walk
AnswerC

arp-scan uses ARP (Layer 2) to discover hosts on the local subnet.

Why this answer

In a switched Ethernet environment, ARP (Address Resolution Protocol) operates at Layer 2 and does not require IP packets to discover hosts. The `arp-scan` tool sends ARP requests to the local broadcast MAC address, and live hosts respond with their MAC addresses, making it the most effective method for identifying live hosts without sending IP packets.

Exam trap

The trap here is that candidates often assume Nmap's `-sn` ping sweep is the standard for host discovery, overlooking that it relies on IP-layer packets, whereas ARP operates at Layer 2 and is the only method that avoids IP packets entirely on a local subnet.

How to eliminate wrong answers

Option A is wrong because a TCP SYN scan sends IP packets (TCP segments over IP) to common ports, which violates the requirement of not sending IP packets. Option B is wrong because Nmap's `-sn` ping sweep typically uses ICMP echo requests, TCP SYN to port 443, or ICMP timestamp requests—all of which are IP-based packets. Option D is wrong because an SNMP walk uses UDP/IP packets to query SNMP-enabled devices, requiring IP communication and not suitable for discovering all live hosts on a local subnet without IP packets.

42
MCQhard

A penetration tester is conducting a web application assessment and discovers that the target uses WordPress. The tester wants to identify installed plugins, themes, and potential vulnerabilities. Which of the following tools is best suited for this task?

A.WPScan
B.OpenVAS
C.Nikto
D.Gobuster
AnswerA

WPScan is a dedicated WordPress vulnerability scanner.

Why this answer

WPScan is a dedicated WordPress security scanner that enumerates installed plugins, themes, and known vulnerabilities by querying the WordPress API and fingerprinting version-specific files. It is purpose-built for WordPress assessments, making it the best choice for this task.

Exam trap

The trap here is that candidates often confuse Nikto's general web scanning with CMS-specific enumeration, but Nikto cannot identify WordPress plugins or themes without custom rules.

How to eliminate wrong answers

Option B (OpenVAS) is wrong because it is a general-purpose vulnerability scanner that lacks WordPress-specific enumeration capabilities and does not directly identify plugins or themes. Option C (Nikto) is wrong because it is a web server scanner focused on misconfigurations and outdated server software, not on CMS-specific components like WordPress plugins. Option D (Gobuster) is wrong because it is a directory/file brute-forcing tool that does not perform vulnerability scanning or plugin/theme enumeration.

43
MCQmedium

During a penetration test, the tester discovers that the target web application uses a content delivery network (CDN) that hides the origin server's IP address. Which technique would BEST help identify the true IP address of the backend server?

A.Query certificate transparency logs via crt.sh for the domain
B.Perform a DNS zone transfer against the target's domain
C.Run a full TCP port scan against the domain with Nmap
D.Use Shodan to search for the domain's SSL certificate hash
AnswerA

Correct. Certificate logs can expose the real server IP.

Why this answer

Certificate transparency logs, such as those queried via crt.sh, record SSL/TLS certificates issued for a domain. These certificates often include the origin server's IP address in the Subject Alternative Name (SAN) or other extensions, or they may reveal additional subdomains that point directly to the backend server, bypassing the CDN. This technique is effective because CDNs typically terminate SSL at the edge, but the certificate may still contain the true backend IP in historical or misconfigured entries.

Exam trap

The trap here is that candidates assume Shodan or Nmap scans directly reveal the origin IP, but they fail to recognize that CDNs mask the backend by terminating traffic at the edge, making certificate transparency logs the only reliable passive method to uncover the true server address.

How to eliminate wrong answers

Option B is wrong because DNS zone transfers (AXFR) require explicit server configuration to allow them; modern DNS servers almost always restrict zone transfers to authorized secondary servers, making this technique impractical against a target's domain without prior access. Option C is wrong because running a full TCP port scan against the domain with Nmap will only scan the CDN's edge IP addresses, not the hidden origin server, as the CDN proxies all traffic. Option D is wrong because Shodan searches for a domain's SSL certificate hash will return results for the CDN's edge IPs that serve the certificate, not the origin server's IP, since the certificate is shared across CDN nodes.

44
MCQmedium

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to discover subdomains and associated email addresses without directly interacting with the target's infrastructure. Which combination of tools and sources would be most effective for this task?

A.Wireshark capturing network traffic
B.Nikto scanning the web server
C.theHarvester with Shodan and Google dorks
D.Nmap with subdomain bruteforce
AnswerC

theHarvester can query Shodan and use Google dorks to gather emails and subdomains passively.

Why this answer

theHarvester is an OSINT tool that can gather emails, subdomains, and other data from public sources like search engines, PGP key servers, and the Shodan database. It performs passive collection. Maltego can also be used but requires more setup.

Shodan and Google dorks are specific searches but theHarvester automates multiple sources.

45
MCQmedium

A penetration tester is using Nmap to perform an aggressive scan of a target. Which command combines OS detection, version detection, script scanning, and traceroute?

A.nmap -sV -O target
B.nmap -A target
C.nmap -sC -O target
D.nmap -T4 -sV target
AnswerB

-A enables all aggressive options: OS detection, version detection, script scanning, and traceroute.

Why this answer

The -A flag enables aggressive scanning which includes OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute).

46
MCQmedium

During a penetration test, the tester is using Gobuster to enumerate directories on a web server. Which flag would the tester use to specify a list of file extensions to append to each word in the wordlist for discovering files like 'admin.php' or 'config.bak'?

A.-e
B.-x
C.-w
D.-t
AnswerB

Correct. -x specifies extensions like php, bak, etc.

Why this answer

The -x flag in Gobuster allows specifying extensions to append to each word during directory/file bruteforcing, enabling discovery of files with those extensions.

47
MCQeasy

A penetration tester is conducting a vulnerability scan on a web server using Nikto. The scan report lists several findings, including a directory listing vulnerability and outdated server headers. Which type of scanner is Nikto?

A.Network port scanner
B.WordPress vulnerability scanner
C.Web server vulnerability scanner
D.General vulnerability scanner
AnswerC

Nikto specifically scans web servers for vulnerabilities.

Why this answer

Nikto is a web server scanner that tests for misconfigurations, outdated software, and common vulnerabilities. Nessus is a general vulnerability scanner, WPScan is for WordPress, and OpenVAS is also a general vulnerability scanner.

48
MCQhard

A penetration tester is reviewing SSL/TLS certificate information for a target domain and wants to discover additional subdomains that share the same certificate. Which resource is best for this purpose?

A.crt.sh
B.Shodan
C.Google Dorks
D.Wayback Machine
AnswerA

crt.sh is a certificate transparency search engine that can reveal subdomains via SSL certificates.

Why this answer

Certificate Transparency logs (e.g., crt.sh) allow searching by domain or certificate fingerprint to find all certificates issued for that domain, often revealing subdomains.

49
MCQhard

A penetration tester is performing a security assessment of a network that uses SNMP. The tester successfully connects to a device using the community string 'public'. Which tool would the tester MOST likely use to enumerate the entire Management Information Base (MIB) tree to extract system information, running processes, and network interfaces?

A.snmp-check
B.MIB Browser
C.snmpwalk
D.Nmap with snmp-brute script
AnswerC

Correct. snmpwalk is the standard tool for walking the MIB tree.

Why this answer

snmpwalk is the correct tool because it uses SNMP GETNEXT requests to systematically traverse the entire Management Information Base (MIB) tree, retrieving all OID values from a device. Given the tester already has a valid community string ('public'), snmpwalk can extract detailed system information, running processes, and network interfaces without needing to guess or brute-force credentials.

Exam trap

The trap here is that candidates confuse snmp-check with snmpwalk, assuming both perform the same MIB traversal, but snmp-check only queries a fixed set of OIDs while snmpwalk recursively retrieves the entire tree.

How to eliminate wrong answers

Option A is wrong because snmp-check is a passive information-gathering tool that queries specific SNMP OIDs for known vulnerabilities and misconfigurations, but it does not perform a full recursive walk of the entire MIB tree. Option B is wrong because a MIB Browser is a graphical tool for browsing MIB structures, but it is not the most likely command-line tool used in a penetration test for bulk enumeration; snmpwalk is the standard CLI utility for this task. Option D is wrong because Nmap with snmp-brute script is used to brute-force SNMP community strings, not to enumerate the MIB tree after a valid community string is already obtained.

50
MCQmedium

A penetration tester is using Nmap to perform host discovery on a target network 192.168.1.0/24. The tester wants to identify live hosts without scanning ports. Which Nmap command should be used?

A.nmap -A 192.168.1.0/24
B.nmap -sS 192.168.1.0/24
C.nmap -sV 192.168.1.0/24
D.nmap -sn 192.168.1.0/24
AnswerD

Ping sweep discovers live hosts without port scanning.

Why this answer

Option D is correct because the `-sn` flag in Nmap performs a ping sweep (host discovery) without scanning any ports. It sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default to determine which hosts are alive on the 192.168.1.0/24 network, making it the ideal choice for identifying live hosts without port scanning.

Exam trap

The trap here is that candidates often confuse `-sn` with `-sS` or `-A`, mistakenly thinking that a stealth scan or aggressive scan is needed for host discovery, when in fact `-sn` is the dedicated, port-free host discovery option.

How to eliminate wrong answers

Option A is wrong because `-A` enables aggressive scanning, which includes OS detection, version detection, script scanning, and traceroute — all of which involve port scanning and are not limited to host discovery. Option B is wrong because `-sS` performs a TCP SYN stealth scan, which scans ports on each host to determine their state, not just host discovery. Option C is wrong because `-sV` performs version detection on open ports, which requires an initial port scan and thus does not meet the requirement of identifying live hosts without scanning ports.

51
MCQeasy

During the information gathering phase, a penetration tester wants to discover subdomains of a target domain using DNS queries and potentially brute-forcing common subdomain names. Which of the following tools is specifically designed for subdomain enumeration and can perform both passive and active techniques?

A.Nmap
B.dirsearch
C.Gobuster
D.Amass
AnswerD

Amass is a subdomain enumeration tool that integrates passive sources and active techniques.

Why this answer

Amass is a tool that performs subdomain enumeration using passive sources and active brute-forcing. Gobuster and dirsearch are for directory/file enumeration. Nmap is for port scanning.

52
MCQhard

A penetration tester has discovered a web application that appears to be built with WordPress. The tester wants to identify installed plugins, themes, and potential vulnerabilities without triggering intrusion detection systems. Which tool is BEST suited for this task?

A.OpenVAS
B.Nikto
C.WPScan
D.Gobuster
AnswerC

Correct. It is purpose-built for WordPress security assessment.

Why this answer

WPScan is a dedicated WordPress vulnerability scanner that can enumerate plugins, themes, users, and known vulnerabilities. It can be configured to use passive methods or throttle requests to avoid detection.

53
MCQhard

A penetration tester uses Shodan to find internet-facing devices belonging to a target company. Which of the following Shodan search filters would most effectively identify devices with a specific organization name?

A.hostname:company.com
B.ssl:company.com
C.org:CompanyName
D.net:192.168.0.0/16
AnswerC

The org filter directly searches by organization name as identified by Shodan's data.

Why this answer

The 'org' filter in Shodan allows searching by organization name, which is the most direct way to find devices associated with a company.

54
MCQmedium

A penetration tester is using theHarvester to gather email addresses associated with a target domain. The tool returns several email addresses. What is the primary limitation of using theHarvester for this purpose?

A.It requires authentication to the target's mail server
B.It only searches Google
C.It only finds publicly available email addresses
D.It cannot find subdomains
AnswerC

theHarvester collects from public sources, so internal emails are not found.

Why this answer

theHarvester collects data from public sources, so its results are limited to what is publicly available. It may miss internal email addresses and can include outdated information. It does not require authentication, and it is not limited to Google only.

55
MCQhard

A penetration tester is assessing a web application and wants to identify hidden parameters that the application accepts. Which tool is specifically designed for parameter discovery?

A.WPScan
B.Arjun
C.Nikto
D.Gobuster
AnswerB

Arjun is designed to find hidden GET and POST parameters by fuzzing and analyzing responses.

Why this answer

Arjun is a tool for discovering HTTP parameters by brute-forcing common parameter names and analyzing responses for changes, making it suitable for parameter discovery.

56
MCQeasy

A penetration tester is conducting passive reconnaissance and wants to find historical snapshots of a target website to identify past vulnerabilities or hidden endpoints. Which online service should the tester use?

A.Shodan
B.Censys
C.Wayback Machine
D.Pastebin
AnswerC

Correct. It provides historical website snapshots.

Why this answer

The Wayback Machine (archive.org) is the correct choice because it archives historical snapshots of websites, allowing a penetration tester to review past versions of a target site to identify previously exposed vulnerabilities, hidden endpoints, or outdated configurations. This aligns with passive reconnaissance, as the tester does not interact directly with the live target.

Exam trap

The trap here is that candidates may confuse passive reconnaissance tools like Shodan or Censys (which focus on live infrastructure) with the Wayback Machine, which is specifically designed for historical web content retrieval.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices and services (e.g., open ports, banners), not for historical website snapshots. Option B is wrong because Censys is a platform for discovering and analyzing internet-connected hosts and certificates, not for retrieving archived web pages. Option D is wrong because Pastebin is a text-sharing service often used for leaked data or code snippets, not for storing historical snapshots of entire websites.

57
MCQhard

During a penetration test, you find a web application that uses JavaScript to make API calls. You want to discover hidden API endpoints and potential secrets (e.g., API keys) embedded in the client-side code. Which approach is most appropriate?

A.Download and analyze the JavaScript files
B.Perform a DNS zone transfer
C.Run a Nikto scan against the application
D.Use theHarvester to search for API endpoints
AnswerA

JavaScript analysis can reveal endpoints and secrets hardcoded in the code.

Why this answer

Option A is correct because JavaScript files in client-side web applications often contain hardcoded API endpoints, API keys, and other secrets that developers inadvertently leave in the source code. By downloading and analyzing these files (e.g., via browser developer tools or wget), you can discover hidden endpoints and sensitive tokens that are not exposed in the HTML or network traffic alone.

Exam trap

The trap here is that candidates may confuse information gathering techniques (e.g., DNS zone transfer or OSINT) with client-side code analysis, assuming that API endpoints must be found through network scanning rather than by examining the application's own source code.

How to eliminate wrong answers

Option B is wrong because DNS zone transfer is a network-level technique used to enumerate DNS records (e.g., subdomains) from a DNS server, not to extract API endpoints or secrets from client-side code. Option C is wrong because Nikto is a web server vulnerability scanner that checks for known vulnerabilities and misconfigurations, but it does not parse JavaScript files to find hidden API endpoints or embedded secrets. Option D is wrong because theHarvester is an OSINT tool designed to gather emails, subdomains, and other public information from search engines and PGP servers, not to analyze client-side JavaScript for API endpoints or secrets.

58
Multi-Selecthard

During an active reconnaissance phase, a penetration tester runs Nmap against a target and obtains the following results: Host is up, ports 22, 80, and 443 are open. The tester then runs a vulnerability scan using Nessus with unauthenticated credentials. Which THREE of the following issues should the tester be most concerned about regarding the accuracy and completeness of the Nessus scan results?

Select 3 answers
A.The Nmap results may have false positives for open ports
B.Nessus will only scan the top 1000 ports by default, potentially missing services on higher ports
C.Nessus might miss vulnerabilities that require authenticated access to detect
D.The vulnerability scan might not detect vulnerabilities in services not identified by Nmap
E.Nessus may produce false positives due to banner grabbing and version detection errors
AnswersC, D, E

Unauthenticated scans cannot check configuration issues or patch levels that require credentials.

Why this answer

Unauthenticated scans often miss vulnerabilities that require authentication, may produce false positives due to banner-based detection, and may not detect certain services that rely on authenticated checks. Nmap results are typically accurate for open ports. Missing open ports due to firewall is possible but less likely with Nmap SYN scan.

59
MCQeasy

Which of the following tools would best assist a penetration tester in identifying known vulnerabilities in a WordPress installation?

A.OpenVAS
B.WPScan
C.Nessus
D.Nikto
AnswerB

WPScan is designed specifically for WordPress security assessments.

Why this answer

WPScan is specifically designed to enumerate and identify vulnerabilities in WordPress installations, including outdated plugins, themes, and core files. It uses a comprehensive database of WordPress CVEs and security issues, making it the most targeted tool for this task.

Exam trap

The trap here is that candidates often choose a general-purpose vulnerability scanner like Nessus or OpenVAS because they are familiar with them, but the question specifically asks for the best tool to identify known vulnerabilities in a WordPress installation, which requires a specialized scanner like WPScan.

How to eliminate wrong answers

Option A (OpenVAS) is wrong because it is a general-purpose vulnerability scanner that covers a wide range of systems and services, but it lacks the specialized WordPress-focused checks and plugin/theme enumeration that WPScan provides. Option C (Nessus) is wrong because, while it can detect some WordPress vulnerabilities, it is a broad-scope scanner that does not offer the deep, WordPress-specific fingerprinting and database of known vulnerabilities that WPScan does. Option D (Nikto) is wrong because it is a web server scanner that checks for common misconfigurations and outdated server software, but it does not perform the detailed WordPress core, plugin, and theme version analysis that WPScan excels at.

60
MCQhard

A penetration tester is performing active reconnaissance on a target network and wants to enumerate SNMP devices to gather system information. The tester uses snmpwalk with a common community string. Which community string is most likely to provide read-write access if misconfigured?

A.private
B.public
C.internal
D.manager
AnswerA

'private' is the default read-write community string.

Why this answer

SNMP community strings are like passwords. 'public' is the default read-only community string, 'private' is the default read-write community string. 'internal' and 'manager' are less common defaults. The tester should try 'private' for potential read-write access.

61
MCQmedium

During a penetration test, the tester performs a SYN scan with Nmap on a target network. The results show that port 443 is open on a web server. The tester then runs a service version detection scan and discovers the server is running Apache 2.4.41. Which Nmap flags were used in sequence?

A.nmap -A then nmap -O
B.nmap -sS then nmap -sV
C.nmap -sV then nmap -sS
D.nmap -sS then nmap -sC
AnswerB

-sS performs SYN scan, -sV detects service versions.

Why this answer

The tester first performed a SYN scan with -sS to identify open ports, then used -sV for service version detection. -sC runs default scripts, -O is for OS detection, and -A enables aggressive scanning (includes OS detection, version detection, script scanning, and traceroute).

62
MCQmedium

During a penetration test, a tester discovers a web application that uses JavaScript to load API endpoints dynamically. Which technique would be most effective for discovering hidden API endpoints?

A.Analyzing JavaScript files for API endpoints
B.Performing a DNS zone transfer
C.Running a Nikto scan
D.Using Nmap to scan for open ports and services
AnswerA

JavaScript files often contain API URLs, parameters, and authentication tokens that can be discovered through static analysis or runtime inspection.

Why this answer

JavaScript analysis involves inspecting JavaScript files for hardcoded API endpoints, secrets, and other useful information, making it effective for discovering hidden API endpoints.

63
MCQeasy

Which of the following tools is most commonly used for passive reconnaissance by querying certificate transparency logs to discover subdomains?

A.crt.sh
B.Censys
C.theHarvester
D.Shodan
AnswerA

crt.sh is a website and API that queries certificate transparency logs, making it a primary tool for passive subdomain discovery via certificates.

Why this answer

crt.sh is a certificate transparency log search tool that can be used to find subdomains by querying SSL/TLS certificates issued for a domain.

64
Multi-Selectmedium

A penetration tester is performing active reconnaissance on a target web application. Which TWO tools are specifically designed for directory and file enumeration? (Select TWO.)

Select 2 answers
A.Wappalyzer
B.Feroxbuster
C.Nmap
D.Gobuster
E.WhatWeb
AnswersB, D

Feroxbuster is a fast, recursive directory brute-forcing tool.

Why this answer

Gobuster and Feroxbuster are both tools specifically designed for directory and file brute-forcing on web servers.

65
MCQmedium

A penetration tester is tasked with performing active reconnaissance on an internal network. The tester wants to identify live hosts and their open ports efficiently while minimizing noise. Which Nmap scan type should be used first to quickly discover which hosts are online?

A.nmap -sS -sV 192.168.1.0/24
B.nmap -A 192.168.1.0/24
C.nmap -sn 192.168.1.0/24
D.nmap -sT 192.168.1.0/24
AnswerC

Correct. Ping sweep quickly identifies live hosts.

Why this answer

Option C is correct because the `-sn` flag (ping scan) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default to determine if hosts are online without performing port scans. This minimizes network noise and quickly identifies live hosts on the subnet, which is the first step in active reconnaissance before deeper scanning.

Exam trap

The trap here is that candidates often choose a full port scan (like `-sS` or `-sT`) for host discovery, not realizing that `-sn` is the dedicated, low-noise method for identifying live hosts without scanning ports.

How to eliminate wrong answers

Option A is wrong because `-sS` (SYN stealth scan) combined with `-sV` (version detection) performs a full port scan and service fingerprinting on every host, generating excessive traffic and noise for initial host discovery. Option B is wrong because `-A` enables aggressive scanning (OS detection, version detection, script scanning, traceroute), which is heavy and inappropriate for a quick live-host discovery phase. Option D is wrong because `-sT` (TCP connect scan) completes the full three-way handshake for each port, creating more noise and connection logs than a simple ping sweep.

66
MCQmedium

You are performing a vulnerability scan on an internal network using an authenticated scanner. Which of the following is a primary benefit of authenticated scanning compared to unauthenticated scanning?

A.It eliminates false positives entirely
B.It reduces network traffic
C.It provides more accurate identification of vulnerabilities that require credentials
D.It avoids detection by intrusion detection systems
AnswerC

With valid credentials, the scanner can log in and assess the system more thoroughly.

Why this answer

Authenticated scanning provides deeper insight by checking for missing patches, misconfigurations, and vulnerabilities that require valid credentials to detect, such as local privilege escalation issues.

67
MCQmedium

A penetration tester is performing active reconnaissance on a web application and wants to discover hidden directories and files. Which tool would be most effective for brute-forcing directory names based on a wordlist?

A.Gobuster
B.Nikto
C.theHarvester
D.WPScan
AnswerA

Gobuster is designed for directory/file brute-forcing with wordlists.

Why this answer

Gobuster is a tool used for directory/file brute-forcing using wordlists. Dirb is similar but older; gobuster is more modern and flexible.

68
Multi-Selectmedium

A penetration tester is performing host discovery on a subnet. Which TWO of the following Nmap options can be used to discover live hosts?

Select 2 answers
A.-sn
B.-O
C.-sP
D.-sV
E.-sS
AnswersA, C

-sn is the ping sweep flag for host discovery.

Why this answer

Both -sn (ping sweep) and -sP (older alias for ping sweep) perform host discovery without port scanning. -sS and -sV are for port scanning and version detection respectively, not host discovery.

69
MCQmedium

A penetration tester is performing DNS reconnaissance and wants to enumerate all subdomains of a target domain by querying DNS servers in an attempt to transfer the entire zone file. Which technique is the tester using?

A.DNS zone transfer
B.DNS reverse lookup
C.DNS cache snooping
D.DNS tunneling
AnswerA

Zone transfer requests the entire zone file, revealing all DNS records.

Why this answer

DNS zone transfer (AXFR) is a mechanism that allows a secondary DNS server to replicate the entire zone file from a primary server. If misconfigured, anyone can request it.

70
MCQmedium

A penetration tester is using Nmap to identify the operating system of a target host. Which Nmap option should be used to enable OS detection?

A.-sV
B.-O
C.-sC
D.-A
AnswerB

-O enables OS detection.

Why this answer

The -O option enables OS detection in Nmap.

71
MCQhard

A tester is performing DNS enumeration on a domain and wants to attempt a zone transfer. Which DNS record type is primarily used for zone transfers?

A.SOA
B.AXFR
C.NS
D.PTR
AnswerB

AXFR is the record type used for full zone transfers.

Why this answer

Zone transfers use the AXFR (Authoritative Transfer) record type to replicate DNS data between servers.

72
MCQmedium

A penetration tester wants to perform a directory brute-force attack against a web server to discover hidden files and directories. Which tool is best suited for this task?

A.WPScan
B.Nikto
C.Gobuster
D.Nmap
AnswerC

Gobuster is designed for directory, file, and DNS subdomain brute-forcing with support for various modes.

Why this answer

Gobuster is a popular tool for directory and file brute-forcing using wordlists, making it ideal for discovering hidden resources on web servers.

73
MCQhard

A penetration tester is analyzing the output of a Nessus vulnerability scan and notices a critical vulnerability reported against a web server that is actually a false positive due to outdated plugin data. What is the best course of action for the tester?

A.Accept the finding as accurate and include it in the report
B.Remove the finding from the report entirely
C.Manually verify the vulnerability by testing it
D.Ignore the finding because it's a false positive
AnswerC

Manual verification confirms if the vulnerability exists.

Why this answer

Option C is correct because a false positive due to outdated plugin data must be manually verified before any action is taken. The tester should use a tool like `curl` or a browser to send the exact request that Nessus simulated (e.g., an HTTP GET to a specific endpoint) and inspect the response headers or body to confirm whether the vulnerability actually exists. Only after manual validation can the tester decide to include, exclude, or note the finding in the report.

Exam trap

The trap here is that candidates may think a false positive should be removed or ignored outright, but the correct approach is to manually verify the finding to ensure the vulnerability is truly absent before making any reporting decision.

How to eliminate wrong answers

Option A is wrong because blindly accepting a known false positive would introduce inaccurate risk into the report, potentially causing unnecessary remediation efforts. Option B is wrong because removing the finding entirely without documentation violates reporting integrity; the tester should note the false positive and the manual verification steps taken. Option D is wrong because ignoring the finding without verification could miss a real vulnerability if the plugin data was outdated but the vulnerability still exists in a different form.

74
MCQmedium

A tester wants to identify the technologies used by a web application before conducting a deeper assessment. Which tool would be most appropriate for passive technology fingerprinting?

A.Nmap
B.Wappalyzer
C.OpenVAS
D.Nikto
AnswerB

Wappalyzer passively identifies technologies from HTTP responses and page content.

Why this answer

Wappalyzer is a browser extension or online tool that identifies web technologies (CMS, frameworks, analytics) by analyzing page content and headers without sending probes.

75
MCQmedium

During a penetration test, the tester wants to discover publicly exposed IoT devices related to the target organization. Which OSINT tool is specifically designed for searching devices connected to the internet?

A.Censys
B.Shodan
C.Maltego
D.theHarvester
AnswerB

Shodan specializes in internet-connected device discovery.

Why this answer

Shodan is a search engine that indexes banners from internet-connected devices, including IoT, webcams, routers, and industrial control systems.

Page 1 of 2 · 108 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ptp Recon Scanning questions.

CCNA Ptp Recon Scanning Questions — Page 1 of 2 | Courseiva