PT0-002 · topic practice

Information Gathering and Vulnerability Scanning practice questions

Practise CompTIA PenTest+ PT0-002 Information Gathering and Vulnerability Scanning practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Information Gathering and Vulnerability Scanning

What the exam tests

What to know about Information Gathering and Vulnerability Scanning

Information Gathering and Vulnerability Scanning questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Information Gathering and Vulnerability Scanning exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Information Gathering and Vulnerability Scanning questions

20 questions · select your answer, then reveal the explanation

During a penetration test, you need to gather information about a target's email addresses and employee names without directly interacting with the target's systems. Which tool is most appropriate for this passive reconnaissance task?

You are performing a vulnerability scan on a web application and notice that the scanner reports a high-severity SQL injection vulnerability. However, manual testing confirms that the input is properly sanitized. Which term best describes this situation?

Which Nmap scan type sends SYN packets to determine open ports without completing the TCP three-way handshake?

You are conducting a penetration test and need to identify subdomains of a target domain using a passive approach that does not generate traffic to the target's servers. Which technique should you use?

During a penetration test, you want to discover API endpoints and hidden parameters in a web application. Which tool combination is most effective for this task?

Which tool is specifically designed for scanning WordPress websites to detect vulnerabilities, such as outdated plugins, themes, and weak passwords?

Question 7mediummultiple choice
Review the full subnetting walkthrough →

You are performing a network scan and need to identify live hosts on a subnet without triggering firewalls that block ICMP. Which technique should you use?

During a penetration test, you find a web application that uses JavaScript to make API calls. You want to discover hidden API endpoints and potential secrets (e.g., API keys) embedded in the client-side code. Which approach is most appropriate?

In the context of OSINT, which resource would you use to find historical versions of a company's website that may reveal outdated information or hidden directories?

You are performing a vulnerability scan on an internal network using an authenticated scanner. Which of the following is a primary benefit of authenticated scanning compared to unauthenticated scanning?

During a penetration test, you want to perform a stealthy port scan that minimizes the chance of being logged by the target. Which Nmap option should you use?

You are tasked with identifying the technologies used by a web application (e.g., web server, frameworks, libraries) during the reconnaissance phase. Which tool would you use?

You are conducting passive reconnaissance on a target organization. Which of the following are examples of passive reconnaissance techniques? (Select TWO.)

During a penetration test, you need to enumerate SNMP information from network devices. Which of the following tools or commands can be used for SNMP enumeration? (Select TWO.)

You are performing reconnaissance on a target's web application. Which of the following techniques can be used to discover hidden directories and files? (Select THREE.)

A penetration tester is performing passive reconnaissance on a target organization. Which of the following tools would be BEST suited to gather information about the organization's domain names, email addresses, and subdomains from publicly available sources without directly interacting with the target's systems?

Question 17easymultiple choice
Read the full DNS explanation →

During the information gathering phase, a penetration tester wants to discover subdomains of a target domain using DNS queries and potentially brute-forcing common subdomain names. Which of the following tools is specifically designed for subdomain enumeration and can perform both passive and active techniques?

A penetration tester is conducting active reconnaissance on a target network and wants to perform a SYN scan to identify open ports without completing the full TCP handshake. Which Nmap flag should the tester use?

Question 19mediummultiple choice
Review the full subnetting walkthrough →

After gaining initial access to an internal network, a penetration tester wants to identify live hosts on a subnet without generating excessive traffic. Which Nmap command would be most appropriate for host discovery using ICMP echo requests and TCP SYN to port 80?

A penetration tester is performing web application reconnaissance and wants to discover API endpoints and hidden parameters that may not be linked from the main application. Which technique would be most effective for this purpose?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Information Gathering and Vulnerability Scanning sessions

Start a Information Gathering and Vulnerability Scanning only practice session

Every question in these sessions is drawn from the Information Gathering and Vulnerability Scanning domain — nothing else.

Related practice questions

Related PT0-002 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PT0-002 exam test about Information Gathering and Vulnerability Scanning?
Information Gathering and Vulnerability Scanning questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Information Gathering and Vulnerability Scanning questions in a focused session?
Yes — the session launcher on this page draws every question from the Information Gathering and Vulnerability Scanning domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PT0-002 topics?
Use the topic links above to move to related areas, or go back to the PT0-002 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PT0-002 exam covers. They are not copied from any real exam or dump site.