CCNA Footprinting, Reconnaissance and Scanning Questions

75 of 155 questions · Page 1/3 · Footprinting, Reconnaissance and Scanning · Answers revealed

1
MCQhard

During a vulnerability scan using Nessus, a security analyst discovers that the target host shows a 'High' severity vulnerability for 'SSL/TLS Renegotiation DoS'. What does this vulnerability indicate?

A.The server does not validate SSL certificates
B.The server supports SSLv2
C.The server allows weak cipher suites
D.An attacker can force the server to renegotiate TLS handshakes repeatedly, causing resource exhaustion
AnswerD

This is the definition of the SSL/TLS Renegotiation DoS vulnerability.

Why this answer

Option D is correct because the SSL/TLS Renegotiation DoS vulnerability (CVE-2011-1473) occurs when a server supports TLS renegotiation without proper rate limiting. An attacker can open multiple connections and repeatedly request renegotiation, causing the server to consume excessive CPU resources for cryptographic handshake calculations, effectively leading to a denial of service. Nessus flags this as 'High' severity because it can exhaust server resources even with a single attacker.

Exam trap

The trap here is that candidates often confuse this DoS vulnerability with weak cipher suites or protocol version issues, but the core distinction is that renegotiation DoS is about resource exhaustion from repeated handshakes, not about encryption strength or certificate trust.

How to eliminate wrong answers

Option A is wrong because the vulnerability is about renegotiation resource exhaustion, not certificate validation; certificate validation issues are typically flagged as 'SSL Certificate Cannot Be Trusted' or 'Self-Signed Certificate' vulnerabilities. Option B is wrong because SSLv2 support is a separate vulnerability (e.g., 'SSLv2 Protocol Detection') related to weak protocol versions, not renegotiation attacks; SSLv2 was deprecated due to cipher suite weaknesses, not renegotiation DoS. Option C is wrong because weak cipher suites (e.g., RC4, DES, or export-grade ciphers) are flagged under 'SSL Weak Cipher Suites' vulnerabilities, which concern encryption strength, not the renegotiation handshake process that causes CPU exhaustion.

2
MCQmedium

During a penetration test, the tester uses a tool that queries search engines with specific operators to find sensitive information such as login pages, exposed directories, and file types. Which tool or technique is being used?

A.Shodan
B.theHarvester
C.Google dorking
D.DNS zone transfer
AnswerC

Google dorking uses operators like site:, filetype:, intitle: to find sensitive data.

Why this answer

Google dorking (also known as Google hacking) uses advanced search operators (e.g., intitle:, filetype:, inurl:) to uncover sensitive information indexed by search engines, such as login pages, exposed directories, and specific file types. This technique directly matches the description of querying search engines with operators to find hidden or sensitive data.

Exam trap

The trap here is that candidates often confuse Google dorking with Shodan, because both involve search engines, but Shodan searches for devices and services (e.g., open ports, banners) rather than web content indexed by Google's crawlers.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices (e.g., IoT, servers, webcams) and does not use search engine operators to find login pages or file types within web content. Option B is wrong because theHarvester is a tool for gathering email addresses, subdomains, and names from public sources (e.g., search engines, PGP key servers), but it does not focus on querying with operators to find login pages or exposed directories. Option D is wrong because DNS zone transfer is a technique to request all DNS records from a nameserver (using AXFR/IXFR queries), not a search engine query method for sensitive web content.

3
MCQeasy

Which of the following techniques involves sending crafted packets to a target to elicit responses that reveal the operating system?

A.Passive OS fingerprinting
B.Banner grabbing
C.DNS enumeration
D.Active OS fingerprinting
AnswerD

Active fingerprinting sends probes to infer the OS.

Why this answer

Active OS fingerprinting involves sending crafted packets (e.g., TCP SYN, FIN, or ICMP probes) to a target and analyzing the responses to deduce the operating system. Unlike passive methods, it actively interacts with the target, leveraging subtle differences in how various OSes implement TCP/IP stack behaviors (e.g., initial TTL values, window sizes, or TCP option ordering). This technique is commonly used by tools like Nmap with its `-O` flag.

Exam trap

The trap here is that candidates often confuse 'active OS fingerprinting' with 'banner grabbing' because both involve sending packets, but banner grabbing targets application-layer banners (e.g., HTTP, FTP) and not the OS-level TCP/IP stack responses that fingerprinting analyzes.

How to eliminate wrong answers

Option A is wrong because passive OS fingerprinting does not send any packets; it only sniffs network traffic to infer the OS from observed packet characteristics (e.g., TTL, DF flag), avoiding direct interaction. Option B is wrong because banner grabbing retrieves application-layer service banners (e.g., HTTP Server header) to identify software versions, not the underlying OS, and it relies on application responses rather than network stack behavior. Option C is wrong because DNS enumeration queries DNS servers for records (e.g., A, MX, NS) to map a domain's infrastructure, not to determine the operating system of a host.

4
MCQmedium

A security analyst is conducting a vulnerability scan on a web server using Nessus. After the scan, they notice that the server's performance has degraded significantly, and some services have become unresponsive. Which of the following actions could have prevented this issue?

A.Increase the scan intensity to complete faster and reduce the load
B.Configure Nessus to use a 'safe' scan policy that disables disruptive plugins
C.Use a different scanner like OpenVAS which is less intrusive
D.Run the scan during peak hours to blend in with normal traffic
AnswerB

Safe checks in Nessus avoid plugins known to cause denial of service or system crashes.

Why this answer

Option B is correct because Nessus 'safe' scan policies disable plugins known to cause service disruption, such as those performing denial-of-service tests or exploiting vulnerabilities that may crash services. By using a safe policy, the analyst avoids aggressive checks that can degrade server performance or cause unresponsiveness, which is a common risk during vulnerability scanning.

Exam trap

The trap here is that candidates may think using a different scanner (Option C) or adjusting timing (Option D) solves the problem, but the core issue is the use of disruptive plugins, which is directly controlled by the scan policy, not the scanner brand or schedule.

How to eliminate wrong answers

Option A is wrong because increasing scan intensity (e.g., using more concurrent threads or faster timing) actually increases the load on the target, worsening performance degradation and service unresponsiveness. Option C is wrong because OpenVAS is not inherently less intrusive; it also includes aggressive plugins that can disrupt services, and the issue is about scan policy, not the scanner brand. Option D is wrong because running the scan during peak hours increases the risk of impacting production traffic and does not prevent disruptive plugins from causing service issues; it may even amplify the impact on users.

5
MCQmedium

A security analyst runs the following command: hping3 -S -p 80 -c 1 192.168.1.1. The response received is an RST/ACK packet. What does this indicate about port 80 on the target?

A.The port is open and listening
B.The port is filtered by a firewall
C.The port is closed
D.The port is in a TIME_WAIT state
AnswerC

RST/ACK indicates the port is closed.

Why this answer

Option C is correct because when hping3 sends a SYN packet to a closed port, the target responds with an RST/ACK packet per TCP RFC 793. This indicates that the port is reachable but no service is listening on it, hence the immediate reset.

Exam trap

The trap here is that candidates often confuse a RST/ACK response with a filtered port or assume it indicates a firewall blocking the port, but in TCP, a closed port actively sends RST/ACK, whereas a firewall typically drops the packet silently.

How to eliminate wrong answers

Option A is wrong because an open port would respond with a SYN/ACK, not an RST/ACK. Option B is wrong because a filtered port would typically drop the packet silently or respond with an ICMP unreachable message, not a TCP RST/ACK. Option D is wrong because TIME_WAIT is a local TCP state on the client side after a connection closes, not a response from a remote port to a SYN probe.

6
Multi-Selecthard

Which THREE of the following are valid Nmap flags that can be used to evade detection by an IDS? (Select exactly 3.)

Select 3 answers
A.-O
B.-D
C.-f
D.-sS
E.--data-length
AnswersB, C, E

Decoy scan hides the real source among multiple IPs.

Why this answer

Option B (-D) is correct because the decoy scan flag allows you to spoof multiple source IP addresses, making it difficult for an IDS to distinguish the real scanning host from the decoys. This technique floods the target with scan traffic from many IPs, obscuring the true origin and evading detection.

Exam trap

EC-Council often tests the misconception that -sS is an evasion technique, but it is actually a stealth scan that reduces connection logging, not IDS evasion; the real evasion flags are those that alter packet structure or source identity.

7
MCQhard

A penetration tester uses the following Google dork: intitle:"index of" "backup" site:example.com. What is the MOST likely goal of this search?

A.Locate open directories that might contain sensitive files
B.Discover email addresses associated with the domain
C.Find login pages of the target domain
D.Identify subdomains of example.com
AnswerA

The dork targets directory listings (index of) with backup files, a common source of sensitive information.

Why this answer

The Google dork `intitle:"index of" "backup" site:example.com` targets web servers that have directory listing enabled (indicated by the page title containing 'index of') and that contain a folder or file named 'backup'. This is a classic reconnaissance technique to find open directories where backup files (e.g., database dumps, configuration files) may be inadvertently exposed, potentially containing sensitive data such as credentials or proprietary information.

Exam trap

The trap here is that candidates often confuse the purpose of Google dorks, thinking 'index of' always reveals login pages or subdomains, when in fact it specifically identifies directories with listing enabled, and the 'backup' keyword pinpoints potentially sensitive data exposure.

How to eliminate wrong answers

Option B is wrong because discovering email addresses typically uses dorks like `intext:"@example.com"` or `site:example.com intitle:"contact"`, not directory listing indicators. Option C is wrong because finding login pages usually involves dorks such as `inurl:login` or `inurl:admin`, not the 'index of' and 'backup' keywords. Option D is wrong because identifying subdomains is better achieved with dorks like `site:*.example.com` or tools like Sublist3r, not by searching for directory listings containing 'backup'.

8
MCQmedium

An analyst runs the following command: dnsenum --enum example.com. Which of the following actions is dnsenum performing?

A.Attempts a zone transfer and brute-forces subdomains
B.Scans for open ports on the DNS server
C.Queries the DNS server for its version information
D.Performs a reverse DNS lookup to find PTR records for the IP range
AnswerA

dnsenum's --enum option attempts a zone transfer and then brute-forces subdomains using a wordlist.

Why this answer

The `dnsenum` tool is designed for DNS enumeration, and its `--enum` flag performs a comprehensive scan that includes attempting a zone transfer (AXFR query) to retrieve all DNS records from the nameserver, and if that fails, it brute-forces subdomains using a wordlist. This matches option A exactly.

Exam trap

The trap here is that candidates confuse `dnsenum` with other DNS tools like `nslookup` or `dig`, assuming it only performs simple queries, when in fact its `--enum` mode specifically targets zone transfers and subdomain brute-forcing.

How to eliminate wrong answers

Option B is wrong because `dnsenum` does not perform port scanning; that is the role of tools like Nmap or Masscan. Option C is wrong because querying the DNS server for its version information is typically done with `dig chaos TXT VERSION.BIND` or `fpdns`, not `dnsenum`. Option D is wrong because reverse DNS lookups for PTR records are not a primary function of `dnsenum`; that is better suited for tools like `dnsrecon` with specific flags or `nslookup` in reverse mode.

9
MCQeasy

Which of the following tools is specifically designed to search the internet for exposed devices and services, such as industrial control systems and webcams, using banners and metadata?

A.Maltego
B.Nmap
C.Shodan
D.Google
AnswerC

Shodan is specifically designed to search for internet-connected devices and services by their banners.

Why this answer

Shodan is a search engine specifically designed to scan the internet for exposed devices and services by collecting banners and metadata from protocols such as HTTP, SSH, FTP, and SNMP. Unlike general-purpose search engines, Shodan indexes device-specific information, making it ideal for discovering industrial control systems (ICS), webcams, and other IoT devices that respond to network probes.

Exam trap

The trap here is that candidates confuse Shodan with a general-purpose search engine like Google or a network mapping tool like Nmap, failing to recognize that Shodan is purpose-built for indexing device banners and metadata from internet-connected systems.

How to eliminate wrong answers

Option A is wrong because Maltego is a graphical link analysis tool used for open-source intelligence (OSINT) and relationship mapping, not for scanning the internet for exposed devices via banners. Option B is wrong because Nmap is a network scanning tool used to discover hosts and services on a local or remote network, but it does not maintain a global searchable index of internet-connected devices. Option D is wrong because Google is a general-purpose web search engine that indexes web pages and content, not device banners or metadata from non-HTTP services like industrial control protocols.

10
MCQmedium

A security analyst receives an alert that an external IP address is sending fragmented packets to the company's web server on port 80. The analyst suspects the attacker is using Nmap with fragmentation. Which Nmap flag is being used to fragment the probe packets?

A.-sI
B.-D
C.--mtu
D.-f
AnswerD

-f is the fragmentation flag.

Why this answer

The -f flag in Nmap instructs the tool to fragment the probe packets into 8-byte or smaller fragments, making it harder for packet filters and intrusion detection systems to detect the scan. This matches the scenario where fragmented packets are sent to the web server on port 80, confirming that -f is the correct flag.

Exam trap

EC-Council often tests the distinction between -f (fragmentation) and --mtu (custom MTU size), leading candidates to mistakenly choose --mtu because they associate it with packet size changes, but only -f triggers fragmentation by default.

How to eliminate wrong answers

Option A is wrong because -sI is the Nmap flag for an Idle (zombie) scan, which spoofs the source IP address using a zombie host, not fragmenting packets. Option B is wrong because -D is used for decoy scans, which sends packets from multiple spoofed IP addresses to obscure the real source, not fragmenting the packets. Option C is wrong because --mtu sets a custom Maximum Transmission Unit size for packets, but it does not inherently fragment packets; fragmentation is achieved with -f, and --mtu is used to specify a different fragment size when combined with -f.

11
MCQeasy

Which of the following is an example of passive OS fingerprinting?

A.Performing a TCP SYN scan
B.Nmap -O scan
C.Sending ICMP echo requests
D.Analyzing TTL values from captured packets
AnswerD

TTL can indicate OS type passively.

Why this answer

Passive OS fingerprinting involves analyzing captured network traffic without sending any packets to the target. Examining TTL (Time to Live) values from captured packets is a classic passive technique because different operating systems use default initial TTL values (e.g., Windows uses 128, Linux uses 64, Cisco IOS uses 255), and by observing the TTL in a received packet, you can infer the OS without actively probing the host.

Exam trap

EC-Council often tests the distinction between active and passive techniques, and the trap here is that candidates confuse 'analyzing captured data' (passive) with 'sending probes and analyzing responses' (active), leading them to pick options like Nmap -O scan or TCP SYN scan.

How to eliminate wrong answers

Option A is wrong because a TCP SYN scan actively sends SYN packets to the target and analyzes responses, which is an active fingerprinting technique. Option B is wrong because Nmap -O scan actively sends a series of crafted probes (e.g., TCP, UDP, ICMP) and analyzes responses to determine the OS, making it an active method. Option C is wrong because sending ICMP echo requests actively probes the target and analyzes replies (e.g., TTL, DF bit, ICMP error handling), which is active fingerprinting, not passive.

12
MCQhard

An attacker uses an idle scan with Nmap to probe a target. This technique relies on a third-party host with a predictable IP ID sequence to infer port states. Which Nmap flag enables an idle scan?

A.-sS
B.-sI
C.-sA
D.-sT
AnswerB

-sI specifies an idle scan using a zombie host.

Why this answer

The idle scan (-sI) leverages a third-party host (zombie) with a predictable IP ID sequence to indirectly probe a target's ports. By spoofing the zombie's IP and observing changes in its IP ID counter, Nmap can infer whether a port is open, closed, or filtered without sending packets directly from the attacker's IP.

Exam trap

The trap here is that candidates often confuse -sI with -sS (SYN scan) because both are stealthy, but -sI specifically requires a zombie host and IP ID manipulation, not just half-open connections.

How to eliminate wrong answers

Option A (-sS) is wrong because it performs a TCP SYN stealth scan, which sends SYN packets directly from the attacker's IP and does not involve a zombie host or IP ID manipulation. Option C (-sA) is wrong because it performs a TCP ACK scan, which sends ACK packets to map firewall rules, not to conduct idle scanning. Option D (-sT) is wrong because it performs a TCP connect scan, which completes the full three-way handshake and is detectable, not an idle scan.

13
Multi-Selecthard

Which THREE of the following are valid Nmap NSE scripts that could be used for service version detection or vulnerability scanning? (Choose THREE.)

Select 3 answers
A.dns-zone-transfer
B.smb-os-discovery
C.ssl-heartbleed
D.banner
E.http-sql-injection
AnswersC, D, E

Checks for the Heartbleed vulnerability.

Why this answer

Option C is correct because the ssl-heartbleed NSE script (ssl-heartbleed.nse) specifically checks for the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL implementations. It sends a malformed TLS heartbeat request and inspects the response for leaked memory contents, making it a direct vulnerability scanning script. This script is part of Nmap's NSE library and is widely used for identifying vulnerable SSL/TLS services.

Exam trap

The trap here is that candidates may confuse 'service version detection' with 'OS detection' (e.g., smb-os-discovery) or 'information gathering' (e.g., dns-zone-transfer), failing to distinguish between scripts that directly identify service versions or vulnerabilities versus those that perform other reconnaissance tasks.

14
MCQmedium

You need to perform a fast scan of all 65535 TCP ports on a target IP address. Which tool is specifically designed for high-speed scanning and can surpass Nmap's speed on large-scale networks?

A.Netcat
B.hping3
C.Nmap with -T5
D.Masscan
AnswerD

Masscan is a high-speed port scanner.

Why this answer

Masscan is the correct answer because it is specifically engineered for high-speed asynchronous scanning, capable of transmitting packets at rates exceeding 10 million packets per second, which allows it to scan all 65535 TCP ports on a target significantly faster than Nmap, even with the -T5 timing template. Unlike Nmap's synchronous or adaptive scanning, Masscan uses a custom TCP/IP stack and raw sockets to maximize throughput, making it the optimal tool for large-scale network reconnaissance.

Exam trap

The trap here is that candidates assume Nmap's -T5 timing template is the fastest possible scan, but they overlook that Masscan's asynchronous architecture is fundamentally different and designed for orders-of-magnitude higher throughput on large-scale networks.

How to eliminate wrong answers

Option A is wrong because Netcat is a general-purpose networking utility for reading/writing data across network connections, not a port scanner; it lacks the asynchronous, high-speed scanning engine required to efficiently scan all 65535 ports. Option B is wrong because hping3 is a packet crafting and testing tool that can perform port scanning, but it operates with a slower, more manual approach and is not designed for high-speed scanning of all ports on a large network. Option C is wrong because Nmap with -T5 uses the 'insane' timing template, which increases parallelism and reduces timeout intervals, but Nmap's architecture is still fundamentally synchronous and cannot match Masscan's raw packet rate for scanning all 65535 ports on a large-scale network.

15
MCQeasy

A penetration tester wants to perform a stealthy TCP scan that does not complete the three-way handshake. Which Nmap flag should be used?

A.-sU
B.-sS
C.-sV
D.-sT
AnswerB

-sS is the SYN stealth scan that doesn't complete the handshake.

Why this answer

Option B (-sS) is correct because it performs a SYN scan, which sends a TCP SYN packet and waits for a SYN-ACK response without completing the three-way handshake (i.e., it sends a RST instead of an ACK). This makes the scan stealthy as it avoids establishing a full TCP connection, reducing the chance of being logged by the target.

Exam trap

The trap here is that candidates often confuse -sS (SYN scan) with -sT (TCP connect scan), mistakenly thinking that -sT is stealthy because it uses TCP, but -sT actually completes the full handshake and is easily logged, while -sS is the true stealthy option.

How to eliminate wrong answers

Option A (-sU) is wrong because it performs a UDP scan, not a TCP scan, and UDP is connectionless, so it does not involve a three-way handshake at all. Option C (-sV) is wrong because it is used for version detection, which requires completing the three-way handshake to probe services, not for stealthy scanning. Option D (-sT) is wrong because it performs a full TCP connect scan, which completes the three-way handshake and is not stealthy, as it is more likely to be logged by the target system.

16
Multi-Selectmedium

A security analyst wants to perform passive reconnaissance on a target domain. Which TWO of the following methods are considered passive? (Choose 2)

Select 2 answers
A.WHOIS lookup
B.Shodan search
C.Telnet banner grab
D.Ping sweep
E.Nmap SYN scan
AnswersA, B

Queries public WHOIS databases without contacting the target.

Why this answer

WHOIS lookup is passive because it queries public registration databases (e.g., ARIN, RIPE) via the WHOIS protocol (RFC 3912) to retrieve domain ownership, registrar, and name server information without sending any packets to the target's own infrastructure. This data is publicly available and does not interact with the target's servers or network, making it a classic passive reconnaissance technique.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by including tools like Shodan (which is passive) alongside active scanning tools like Nmap, leading candidates to mistakenly classify Shodan as active because it involves a search engine rather than direct network interaction.

17
MCQeasy

Which of the following best describes the difference between active and passive reconnaissance?

A.Active reconnaissance is legal, while passive reconnaissance is not
B.Active reconnaissance involves direct interaction with the target, whereas passive reconnaissance does not
C.Passive reconnaissance uses tools like Nmap, while active reconnaissance uses Google dorks
D.Passive reconnaissance is used only during the exploitation phase
AnswerB

This is the core difference between the two approaches.

Why this answer

Active reconnaissance involves direct interaction with the target system, such as sending packets, probes, or connection requests (e.g., using Nmap scans, ping sweeps, or banner grabbing) that can be logged or detected by the target. Passive reconnaissance, in contrast, gathers information without engaging the target directly, relying on publicly available sources (e.g., WHOIS lookups, DNS records, social media, or search engines) and does not generate traffic that reaches the target's network. This distinction is fundamental in the CEH methodology because active techniques carry a higher risk of alerting the target, while passive techniques are stealthier and often used first to avoid detection.

Exam trap

EC-Council often tests the misconception that passive reconnaissance is 'safer' or 'always legal,' but the trap here is confusing the method of interaction (direct vs. indirect) with legality or tool assignment, leading candidates to pick Option A or C instead of the correct definition based on target interaction.

How to eliminate wrong answers

Option A is wrong because legality is not the defining difference; both active and passive reconnaissance can be legal or illegal depending on authorization and jurisdiction—active reconnaissance is not inherently legal, and passive reconnaissance is not inherently illegal. Option C is wrong because it reverses the typical tool usage: Nmap is a primary tool for active reconnaissance (sending packets to discover hosts and services), while Google dorks are a form of passive reconnaissance (searching publicly indexed data without direct interaction). Option D is wrong because passive reconnaissance is primarily used during the footprinting and reconnaissance phase, not the exploitation phase; exploitation occurs after reconnaissance and scanning are complete.

18
MCQmedium

A penetration tester is scanning a target and receives the output: 'PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https'. Which Nmap flag was MOST likely used to obtain this output?

A.-sS
B.-O
C.-A
D.-sV
AnswerA

-sS performs a SYN scan and displays open ports with service names.

Why this answer

The output shows open ports with their service names (ssh, http, https) but no version information. The -sS flag performs a SYN stealth scan, which by default probes common ports and uses the /etc/services file to map port numbers to service names. This matches the output format exactly, as -sS does not perform version detection or OS fingerprinting.

Exam trap

The trap here is that candidates often confuse the service name mapping (from -sS or default scan) with version detection (-sV), assuming that seeing 'ssh' or 'http' implies version probing occurred, when in fact Nmap simply maps the port number to a common service name from its database.

How to eliminate wrong answers

Option B is wrong because -O is used for OS detection, which would add OS fingerprinting details (e.g., 'OS: Linux 2.6.32') to the output, not just port states and service names. Option C is wrong because -A enables aggressive scanning (OS detection, version detection, script scanning, traceroute), which would produce far more verbose output including version strings and script results. Option D is wrong because -sV enables version detection, which would append version information (e.g., 'Apache httpd 2.4.41') to each service line, not just the service name from the port mapping.

19
MCQhard

During a penetration test, you run the following Nmap command: nmap -sS -sV -O -A -T4 --script=default 10.0.0.1. The scan results show that port 443 is open and the service is 'Apache httpd 2.4.29'. However, banner grabbing with Netcat shows 'Apache/2.4.41 (Ubuntu)'. What is the MOST likely explanation for the discrepancy?

A.The server is using a reverse proxy that presents a different version to Nmap
B.Netcat banner grabbing is more reliable because it reads the actual server response
C.The discrepancy is due to Nmap's OS fingerprinting conflicting with version detection
D.Nmap is more accurate because it uses deep packet inspection
AnswerB

Netcat establishes a TCP connection and reads the service banner directly, while Nmap's -sV uses a database of signatures that may be incomplete or outdated.

Why this answer

Option B is correct because Netcat performs a direct TCP connection to the service and reads the raw banner as sent by the application, which is the most immediate and unfiltered version information. Nmap's version detection (-sV) relies on probe-response matching against its signature database, which can be outdated or misinterpret the service if the server uses banner obfuscation or if the Nmap database does not have an exact match for the newer version. In this case, Netcat reveals the actual server version (2.4.41), while Nmap's database may only have a signature for 2.4.29, leading to a false lower version.

Exam trap

The trap here is that candidates assume Nmap is always more accurate because it is a sophisticated scanning tool, but in version detection, a direct banner grab with Netcat is often more reliable when the service banner is not suppressed.

How to eliminate wrong answers

Option A is wrong because a reverse proxy would typically present the same version to both Nmap and Netcat, or could mask the backend version entirely; it would not cause Nmap to report a lower version than the actual banner. Option C is wrong because OS fingerprinting (-O) is a separate function that does not interfere with version detection; the discrepancy is between two version detection methods, not OS fingerprinting. Option D is wrong because Nmap's version detection does not use deep packet inspection; it sends specific probes and matches responses to a signature database, which can be less accurate than a direct banner grab if the database is outdated or the service responds differently to probes.

20
MCQhard

A security analyst runs a vulnerability scan with Nessus and receives a report indicating that multiple hosts have the 'MS17-010' vulnerability. What is the MOST likely impact of this vulnerability if exploited?

A.Remote code execution on Windows systems
B.SQL injection
C.Cross-site scripting
D.DNS cache poisoning
AnswerA

MS17-010 allows RCE via SMB, famously used by WannaCry.

Why this answer

MS17-010 is a critical remote code execution vulnerability in the Microsoft Server Message Block (SMB) protocol. Exploitation allows an unauthenticated attacker to send specially crafted packets to an SMB server, enabling arbitrary code execution with system privileges. This is the same vulnerability leveraged by the EternalBlue exploit used in the WannaCry ransomware attacks.

Exam trap

The trap here is that candidates may confuse MS17-010 with a general network vulnerability, but the CEH exam specifically tests that it is a remote code execution flaw in Windows SMB, not a web or DNS attack.

How to eliminate wrong answers

Option B is wrong because SQL injection targets database query layers (e.g., SQL statements) and is unrelated to SMB protocol vulnerabilities. Option C is wrong because cross-site scripting (XSS) exploits web application input validation to inject client-side scripts, not SMB remote code execution. Option D is wrong because DNS cache poising manipulates DNS resolver caches via forged responses, which is a network-layer attack distinct from the SMB-based MS17-010 flaw.

21
Multi-Selecteasy

Which TWO of the following are passive reconnaissance techniques? (Select 2)

Select 2 answers
A.Performing a WHOIS lookup
B.Running an Nmap version scan
C.Performing a ping sweep
D.Using Shodan to find exposed devices
E.Banner grabbing with Netcat
AnswersA, D

WHOIS queries public registration databases without contacting the target's servers.

Why this answer

A WHOIS lookup queries public databases (e.g., ARIN, RIPE) to retrieve domain registration details such as registrar, creation date, and name server records. This is passive because it relies on publicly available information without sending any packets to the target network or interacting with its live systems.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by making candidates confuse techniques that use public databases (passive) with those that send packets to the target (active); the trap here is that banner grabbing with Netcat feels passive because it only reads a response, but it still requires initiating a TCP connection to the target.

22
Multi-Selectmedium

Which TWO of the following Nmap scans are considered 'stealth' scans that do not complete a full TCP three-way handshake?

Select 2 answers
A.FIN scan (-sF)
B.TCP connect scan (-sT)
C.UDP scan (-sU)
D.SYN scan (-sS)
E.ACK scan (-sA)
AnswersA, D

-sF sends FIN packets and does not complete a handshake.

Why this answer

A FIN scan (-sF) sends a TCP packet with only the FIN flag set. According to RFC 793, if the port is closed, the target responds with an RST packet; if open, the packet is ignored. This avoids completing a full TCP three-way handshake, making it a stealth scan.

Exam trap

The trap here is that candidates often confuse 'stealth' with 'invisible' and incorrectly assume that any scan not completing a handshake qualifies, but the CEH defines stealth scans specifically as those that avoid the full three-way handshake (SYN, FIN, Xmas, Null) and are designed to evade detection, not just any non-handshake scan like ACK scan.

23
Multi-Selectmedium

Which TWO of the following Nmap flags are used for evasion of IDS/IPS? (Choose two.)

Select 2 answers
A.-sV
B.-O
C.-D
D.-f
E.-sT
AnswersC, D

Decoy scan uses multiple source IPs to confuse IDS.

Why this answer

Option C (-D) is correct because the Nmap decoy scan flag allows you to spoof multiple source IP addresses, making it difficult for IDS/IPS to distinguish the real scanning host from decoys. Option D (-f) is correct because fragmenting packets (e.g., using -f to split TCP headers into 8-byte fragments) evades signature-based detection by bypassing pattern-matching rules that expect complete packet headers.

Exam trap

EC-Council often tests the misconception that -sV or -O are evasion techniques because they are 'stealthy' in some contexts, but the CEH exam specifically requires knowing that decoys (-D) and fragmentation (-f) are the standard Nmap evasion flags.

24
MCQmedium

An analyst executes 'nmap -sU -p 161,162 10.0.0.1'. What is the primary purpose of this scan?

A.Detect TCP services on the target
B.Enumerate all open ports on the target
C.Discover SNMP services running on the target
D.Perform a SYN flood attack
AnswerC

UDP ports 161 (SNMP) and 162 (SNMP trap) are scanned.

Why this answer

The `-sU` flag instructs Nmap to perform a UDP scan, and the `-p 161,162` targets the default SNMP ports (UDP 161 for SNMP queries, UDP 162 for SNMP traps). This combination is specifically designed to discover SNMP services running on the target host, as SNMP operates exclusively over UDP. Option C is correct because the command's primary purpose is to probe for SNMP services.

Exam trap

The trap here is that candidates often confuse `-sU` with TCP scans or assume the command scans all ports, but CEH specifically tests the understanding that `-sU` with `-p 161,162` targets SNMP over UDP, not general port enumeration or attacks.

How to eliminate wrong answers

Option A is wrong because `-sU` specifies a UDP scan, not a TCP scan; TCP services are detected using `-sT` or `-sS`, not `-sU`. Option B is wrong because the command only scans ports 161 and 162, not all ports; enumerating all open ports would require a broader port range (e.g., `-p-`) or a different scan type. Option D is wrong because a SYN flood attack is a denial-of-service technique using TCP SYN packets, whereas this is a reconnaissance scan using UDP probes; Nmap does not perform attacks by default.

25
MCQeasy

During a security assessment, a tester uses `nmap -sU 192.168.1.1`. What type of scan does this command perform?

A.UDP scan
B.TCP SYN scan
C.Ping sweep
D.OS fingerprinting
AnswerA

-sU scans UDP ports.

Why this answer

The `-sU` flag in Nmap explicitly instructs the tool to perform a UDP scan. This sends UDP packets to the target ports and analyzes responses (or lack thereof) to determine if a UDP port is open, closed, or filtered. Unlike TCP, UDP is connectionless, so the scan relies on ICMP unreachable messages or lack of response to infer port status.

Exam trap

The trap here is that candidates confuse the `-sU` flag with a TCP SYN scan (`-sS`) or assume it performs a general host discovery, but the question specifically tests knowledge of Nmap's scan type flags.

How to eliminate wrong answers

Option B is wrong because TCP SYN scan uses the `-sS` flag, not `-sU`, and relies on the TCP three-way handshake (sending a SYN packet) to determine port states. Option C is wrong because a ping sweep typically uses ICMP echo requests (or TCP/UDP probes to multiple hosts) to discover live hosts, not a single target with UDP probes; the command `nmap -sn` is used for ping sweeps. Option D is wrong because OS fingerprinting is performed with options like `-O` or `-A`, which analyze TCP/IP stack behavior, not a simple UDP scan.

26
MCQmedium

An incident responder analyzes logs and finds repeated failed zone transfer attempts from an external IP. The zone transfer requests are targeting the domain example.com. Which DNS record type, if misconfigured, would allow this attack to succeed?

A.NS records
B.AXFR
C.MX records
D.SOA records
AnswerB

AXFR is the DNS query type for zone transfers. Allowing AXFR from unauthorized hosts is a misconfiguration.

Why this answer

B is correct because AXFR (Asynchronous Full Transfer) is the DNS zone transfer protocol that, if misconfigured (i.e., allowing unrestricted AXFR queries from any IP), permits an external attacker to request and receive the entire DNS zone file for example.com. The repeated failed attempts indicate the attacker is probing for an open AXFR service, which would succeed if the DNS server is configured to allow zone transfers to any host without restriction.

Exam trap

The trap here is that candidates confuse the DNS record type (e.g., NS, SOA) with the protocol or query type (AXFR) used to perform the zone transfer, leading them to select a record type instead of recognizing AXFR as the specific misconfiguration that enables the attack.

How to eliminate wrong answers

Option A is wrong because NS records specify the authoritative name servers for a domain, not the mechanism for transferring zone data; misconfigured NS records could lead to delegation issues but do not directly allow zone transfer attacks. Option C is wrong because MX records define mail exchange servers for email routing and have no role in DNS zone transfers; they are irrelevant to the attack described. Option D is wrong because SOA records contain administrative metadata about the zone (e.g., serial number, refresh interval) but do not control or enable zone transfer requests; misconfigured SOA records might affect zone replication timing but not allow external AXFR queries.

27
MCQmedium

A penetration tester uses the following Google dork: site:example.com filetype:pdf inurl:confidential. What is the MOST likely goal of this search?

A.Retrieve all PDF files from example.com regardless of content
B.Identify all web pages on example.com that link to PDF files
C.Find PDF files on example.com that have 'confidential' in their filename or path
D.Discover PDF files that contain the word 'confidential' on example.com
AnswerC

The 'inurl:confidential' operator matches the string 'confidential' anywhere in the URL, which includes filenames and directory paths. Combined with 'filetype:pdf', this finds PDFs with 'confidential' in the URL.

Why this answer

The Google dork `site:example.com filetype:pdf inurl:confidential` combines the `site` operator to restrict results to example.com, `filetype:pdf` to filter for PDF files, and `inurl:confidential` to require that the URL or path contains the word 'confidential'. This targets PDF files whose filename or directory path includes 'confidential', making option C correct. The `inurl` operator matches the URL string, not the file content, so it does not search within the PDF text.

Exam trap

The trap here is confusing `inurl` (which searches the URL string) with `intext` or content-based search, leading candidates to incorrectly assume the dork finds PDFs containing the word 'confidential' inside the document.

How to eliminate wrong answers

Option A is wrong because the dork includes `inurl:confidential`, which narrows results to PDFs with 'confidential' in the URL, not all PDFs. Option B is wrong because the dork retrieves PDF files directly, not web pages that link to PDFs; `filetype:pdf` returns the PDF file itself. Option D is wrong because `inurl` searches the URL string, not the content of the PDF; to search within file content, one would use `intext` or `filetype:pdf` combined with a content search term like `"confidential"` without `inurl`.

28
MCQeasy

Which of the following Google dorks would an attacker MOST likely use to find login pages of web applications that are publicly accessible?

A.intitle:login
B.inurl:robots.txt
C.filetype:pdf
D.cache:example.com
AnswerA

This dork returns pages where the title contains 'login', often used to find login portals.

Why this answer

The Google dork 'intitle:login' is most effective for finding login pages because it searches for the word 'login' in the HTML title tag of web pages. Attackers use this to quickly identify publicly accessible authentication portals, which are common entry points for brute-force or credential-stuffing attacks. This dork directly targets the page title, a standard HTML element that often contains the word 'login' on authentication pages.

Exam trap

EC-Council often tests the distinction between operators that find specific page content (like 'intitle:') versus those that find file types or cached data, leading candidates to confuse 'inurl:robots.txt' (which finds a specific file) with finding login pages.

How to eliminate wrong answers

Option B is wrong because 'inurl:robots.txt' is used to find the robots.txt file, which discloses directories that the site owner wants to hide from search engines, not login pages. Option C is wrong because 'filetype:pdf' restricts results to PDF files, which are unlikely to be login pages (login pages are typically HTML). Option D is wrong because 'cache:example.com' shows the cached version of a specific domain, not a search for login pages across multiple sites.

29
MCQmedium

Which of the following tools would be BEST to use for identifying all live hosts in a large IP range (e.g., 10.0.0.0/8) quickly?

A.Masscan
B.OpenVAS
C.Nmap with -sL flag
D.hping3
AnswerA

Masscan is optimized for speed and can scan large ranges quickly.

Why this answer

Masscan is the best choice because it is designed for high-speed scanning across large IP ranges, capable of transmitting packets at rates exceeding 10 million packets per second. It uses asynchronous transmission and raw sockets to quickly identify live hosts by sending SYN probes and analyzing responses, making it ideal for scanning a /8 subnet (16.7 million addresses) in minutes.

Exam trap

EC-Council often tests the distinction between scanning speed and functionality, where candidates mistakenly choose Nmap (a versatile tool) for large-range host discovery without recognizing that its default scanning modes are too slow for a /8 subnet, whereas Masscan is purpose-built for speed.

How to eliminate wrong answers

Option B (OpenVAS) is wrong because it is a vulnerability scanner that performs in-depth analysis on identified hosts, not a tool for rapid host discovery across large ranges; its scanning speed is too slow for a /8 subnet. Option C (Nmap with -sL flag) is wrong because the -sL flag performs a list scan that only resolves DNS names without sending any packets, so it cannot identify live hosts. Option D (hping3) is wrong because it is a packet crafting tool used for targeted testing and firewall auditing, not designed for high-speed scanning of massive IP ranges; its sequential packet transmission makes it impractical for a /8 subnet.

30
MCQeasy

During a penetration test, the tester wants to discover all subdomains of a target domain using an OSINT technique. Which tool is specifically designed for subdomain enumeration via search engines and public records?

A.theHarvester
B.Maltego
C.Shodan
D.dnsrecon
AnswerA

theHarvester is designed to gather emails, subdomains, and other information from public sources.

Why this answer

theHarvester is specifically designed to perform OSINT-based subdomain enumeration by querying search engines (e.g., Google, Bing) and public data sources (e.g., PGP key servers, DNSDumpster). It collects email addresses, subdomains, IPs, and virtual hosts without direct interaction with the target's infrastructure, making it ideal for passive reconnaissance.

Exam trap

EC-Council often tests the distinction between passive OSINT tools (theHarvester) and active reconnaissance tools (dnsrecon), so candidates mistakenly choose dnsrecon because it is a DNS tool, but the question explicitly requires an OSINT technique using search engines and public records.

How to eliminate wrong answers

Option B (Maltego) is wrong because it is a general-purpose OSINT and link-analysis platform that requires transforms (some of which are paid) and is not solely focused on subdomain enumeration via search engines; it is overkill for this specific task. Option C (Shodan) is wrong because it is a search engine for internet-connected devices and services (e.g., IoT, servers), not for enumerating subdomains of a target domain via search engines or public records. Option D (dnsrecon) is wrong because it performs active DNS reconnaissance (e.g., zone transfers, brute-force subdomain discovery) and is not an OSINT technique that relies on search engines and public records.

31
Multi-Selecthard

A penetration tester is conducting reconnaissance and wants to identify live hosts in a range without being detected. Which TWO techniques would be MOST appropriate? (Choose two.)

Select 2 answers
A.Ping sweep
B.ARP scan
C.DNS query for reverse lookup
D.Passive OS fingerprinting
E.TCP SYN scan
AnswersC, D

DNS queries are generally allowed and less suspicious.

Why this answer

A DNS query for reverse lookup (PTR record) is a passive reconnaissance technique that queries DNS servers for hostnames associated with IP addresses. It does not send packets directly to the target hosts, making it difficult for intrusion detection systems (IDS) or firewalls to detect the probing activity. This aligns with the goal of identifying live hosts without generating network traffic that would alert defensive measures.

Exam trap

The trap here is that candidates often confuse passive OS fingerprinting (which analyzes network traffic patterns without sending probes) with active fingerprinting techniques, or they assume that any DNS query is inherently passive, overlooking that DNS queries themselves generate traffic that may be logged by DNS servers.

32
MCQhard

A penetration tester runs `nmap -sI 192.168.1.10 -p 80 10.0.0.1` and receives output indicating port 80 is open. The scan uses a zombie host. Which type of scan is this?

A.Idle scan
B.SYN scan
C.Decoy scan
D.Fragmentation scan
AnswerA

-sI is the idle scan flag.

Why this answer

The `-sI` flag in Nmap specifies an idle scan, which uses a zombie host (192.168.1.10) to probe the target (10.0.0.1). By observing changes in the zombie's IP ID sequence, the attacker can infer whether a port on the target is open or closed without revealing their own IP address. The output indicating port 80 is open confirms the scan type as an idle scan.

Exam trap

The trap here is that candidates confuse the `-sI` flag with decoy scans (`-D`) because both involve spoofing, but idle scans uniquely require a zombie host and IP ID analysis, not just multiple decoy IPs.

How to eliminate wrong answers

Option B is wrong because a SYN scan uses the `-sS` flag, not `-sI`, and does not involve a zombie host; it sends raw SYN packets directly from the attacker's IP. Option C is wrong because a decoy scan uses the `-D` flag to spoof multiple source IPs to obscure the real scanner, but it does not rely on a zombie host's IP ID sequence. Option D is wrong because a fragmentation scan uses the `-f` flag to split packets into smaller fragments to evade detection, not to leverage a zombie host for stealth.

33
MCQeasy

During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?

A.theHarvester
B.Nmap
C.Netcat
D.Wireshark
AnswerA

theHarvester is a passive OSINT tool that collects emails, subdomains, IPs, and names from public sources like Google, Bing, and LinkedIn.

Why this answer

theHarvester is specifically designed for passive reconnaissance by querying public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API to collect email addresses, subdomains, and employee names without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement of gathering OSINT data without direct interaction.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with tools that can be used passively in some contexts (like Wireshark for sniffing), but the question specifically requires gathering email addresses, subdomains, and employee names from public sources, which only theHarvester is designed to do.

How to eliminate wrong answers

Option B (Nmap) is wrong because it actively sends crafted packets to target hosts to discover open ports and services, which constitutes active reconnaissance and would generate logs on the target's systems. Option C (Netcat) is wrong because it is a network utility for reading/writing data across TCP/UDP connections, used for banner grabbing or port scanning, both of which involve direct interaction with the target. Option D (Wireshark) is wrong because it is a packet analyzer that captures and inspects network traffic already on the wire, requiring either existing traffic from the target or active sniffing, and does not perform passive OSINT collection from public sources.

34
MCQeasy

Which of the following tools is PRIMARILY used for passive OSINT gathering and can query multiple search engines, social media platforms, and public databases to collect information about a target?

A.Nmap
B.Wireshark
C.Maltego
D.theHarvester
AnswerC

Maltego is designed for passive reconnaissance and aggregates data from multiple sources.

Why this answer

Maltego is primarily used for passive OSINT gathering because it leverages open-source intelligence feeds, search engines, social media platforms, and public databases to collect and correlate information about a target without directly interacting with the target's systems. Its transform-based architecture allows it to query multiple data sources simultaneously, making it the correct choice for passive reconnaissance.

Exam trap

The trap here is that candidates often confuse theHarvester with Maltego because both are OSINT tools, but theHarvester is more specialized for email and subdomain harvesting, while Maltego is the broader platform for multi-source passive intelligence gathering and visualization.

How to eliminate wrong answers

Option A is wrong because Nmap is an active reconnaissance tool that sends crafted packets to target hosts to discover open ports, services, and operating systems, which generates network traffic and can be detected. Option B is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting live or recorded traffic, not for querying search engines or public databases for OSINT. Option D is wrong because theHarvester is indeed an OSINT tool, but it is primarily focused on email addresses, subdomains, and names from search engines and PGP key servers, not the broad multi-source correlation and visualization that Maltego provides for passive OSINT gathering.

35
MCQeasy

During a penetration test, you need to identify all live hosts on a target network without being detected by intrusion detection systems. Which Nmap flag would BEST achieve this?

A.-O (OS fingerprinting)
B.-sn (ping sweep)
C.-sS (SYN scan)
D.-sV (version detection)
AnswerB

Ping sweep only checks host availability, generating minimal traffic and avoiding full port scans.

Why this answer

The -sn flag (ping sweep) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default to determine if a host is alive. This is the best choice for stealthy host discovery because it does not complete a full TCP handshake or send application-layer probes, minimizing the chance of triggering IDS signatures that look for port scans or OS fingerprinting.

Exam trap

The trap here is that candidates often confuse -sn (ping sweep) with -sS (SYN scan) because both involve TCP packets, but -sn is purely for host discovery without port scanning, whereas -sS is a port scanning technique that is much more intrusive and detectable.

How to eliminate wrong answers

Option A is wrong because -O (OS fingerprinting) sends a series of crafted TCP packets to analyze responses for OS detection, which is highly detectable by IDS due to the unusual packet combinations and is not designed for simple host discovery. Option C is wrong because -sS (SYN scan) sends TCP SYN packets to specific ports to identify open ports, which is a port scanning technique that can trigger IDS alerts for half-open connections and is not optimized for stealthy live host detection. Option D is wrong because -sV (version detection) initiates full TCP connections and sends probe strings to identify service versions, which is noisy and easily detected by IDS, and is intended for service enumeration, not host discovery.

36
MCQhard

A security analyst runs the Nmap command: nmap -sI 192.168.1.50 -p 80 10.0.0.1. The scan completes, but the target shows no open ports. What is the MOST likely explanation?

A.The analyst used the wrong port number
B.The target has a firewall blocking the decoy packets
C.The target host is offline
D.The zombie host is not truly idle, causing false results
AnswerD

Idle scan relies on the zombie's IP ID being predictable; if the zombie is active, the IP ID increments unpredictably, leading to false negatives.

Why this answer

The -sI flag in Nmap performs an idle scan, which relies on a zombie host (192.168.1.50) with a globally predictable IP ID sequence to probe the target. If the zombie host is not truly idle—meaning it is sending or receiving other traffic during the scan—its IP ID values will increment unpredictably, corrupting the side-channel analysis and causing Nmap to report all ports as filtered or closed. This is the most likely reason for the false 'no open ports' result.

Exam trap

The trap here is that candidates often assume a firewall or offline target is the cause, but the idle scan's success hinges entirely on the zombie's idle state, not on target-side filtering or host availability.

How to eliminate wrong answers

Option A is wrong because the -p 80 flag explicitly targets port 80, and the scan completed without error, so the port number is not the issue. Option B is wrong because a firewall blocking decoy packets would not affect an idle scan; idle scans use the zombie's IP, not decoys, and firewall rules on the target would block the zombie's packets, not the analyst's. Option C is wrong because if the target host were offline, Nmap would typically report 'Host seems down' or time out, not complete the scan and show 'no open ports'.

37
MCQhard

A penetration tester observes that an Nmap SYN scan shows all 1000 TCP ports as open. The tester suspects the target is using a security appliance that responds with SYN-ACK to all connection attempts, regardless of the actual port state. Which type of Nmap scan would be MOST effective in determining the true state of the ports?

A.UDP scan (-sU)
B.Ping sweep (-sn)
C.TCP connect scan (-sT)
D.Idle scan (-sI)
AnswerC

-sT completes the handshake; if the port is closed, a RST is received after the ACK, revealing the true state even if SYN-ACKs are spoofed.

Why this answer

Option C is correct because a TCP connect scan (-sT) completes the full three-way handshake, which forces the target to respond with a RST if the port is actually closed, even if a security appliance initially sends SYN-ACK to all ports. This distinguishes between ports that are truly open (where the handshake completes) and those that are falsely reported as open by the appliance (where the handshake fails or a RST is received).

Exam trap

The trap here is that candidates assume a SYN scan (-sS) is always superior due to stealth, but they overlook that a security appliance can spoof SYN-ACKs, making the full handshake of -sT necessary to bypass the deception.

How to eliminate wrong answers

Option A is wrong because a UDP scan (-sU) targets UDP ports, not TCP ports, and cannot determine the true state of TCP ports; it also suffers from false positives due to ICMP unreachable responses. Option B is wrong because a ping sweep (-sn) only checks host availability via ICMP or TCP pings and does not perform any port-level scanning to determine port states. Option D is wrong because an idle scan (-sI) relies on a zombie host with predictable IP IDs and is designed for stealth, not for bypassing SYN-ACK spoofing; it would still receive SYN-ACKs from the appliance and cannot differentiate real open ports from spoofed responses.

38
MCQhard

A penetration tester is attempting to evade an IDS/IPS while performing a port scan. They use the Nmap command: nmap -sS -f --data-length 20 -D RND:10 10.0.0.1. Which techniques are being employed to evade detection?

A.Idle scan, fragmentation, and MAC address spoofing
B.Packet timing manipulation, decoy, and avoiding DNS resolution
C.Fragmentation, decoy, and using a random source IP
D.Fragmentation, decoy, and source port spoofing
AnswerC

-f fragments IP packets, --data-length adds random data, and -D RND:10 generates random decoy IPs. The source IP is not random; decoys are additional spoofed sources.

Why this answer

Option C is correct because the Nmap command `-sS -f --data-length 20 -D RND:10` employs three evasion techniques: fragmentation (the `-f` flag splits the TCP SYN packet into smaller fragments to bypass simple packet inspection), decoy scanning (`-D RND:10` generates 10 random decoy source IP addresses to obscure the real scanning host), and using a random source IP (the `RND:10` mechanism effectively randomizes the source IP of the probes, making it harder for the IDS/IPS to attribute the scan to a single attacker).

Exam trap

The trap here is that candidates often confuse the `-D RND:10` decoy option with source IP spoofing or idle scanning, but the command does not include the `-sI` flag for idle scanning or `--source-port` for port spoofing, and the `RND:10` specifically randomizes decoy IPs, not the source IP of the attacker's machine.

How to eliminate wrong answers

Option A is wrong because an idle scan requires the `-sI` flag and a zombie host IP, which is not present; MAC address spoofing is not used in this command. Option B is wrong because packet timing manipulation (e.g., `-T` or `--scan-delay`) and avoiding DNS resolution (`-n`) are not specified in the given Nmap command. Option D is wrong because source port spoofing would require the `--source-port` or `-g` flag, which is not included in the command.

39
MCQeasy

Which of the following is a passive OS fingerprinting technique that does NOT send any packets to the target?

A.Sending TCP SYN packets and analyzing responses
B.Analyzing TTL and window size from captured packets
C.Performing a NULL scan
D.Using Nmap -O flag
AnswerB

This is passive fingerprinting; it uses existing traffic.

Why this answer

Passive OS fingerprinting involves observing network traffic without sending any packets to the target. Analyzing the Time-to-Live (TTL) and TCP window size from captured packets is a classic passive technique because these values are OS-specific defaults (e.g., Linux often uses TTL 64 and window size 5840, while Windows uses TTL 128 and window size 65535). Since no packets are sent to the target, this method is entirely passive and undetectable.

Exam trap

The trap here is that candidates often confuse passive fingerprinting with active techniques like banner grabbing or Nmap scans, assuming that any packet capture analysis is passive, but the key distinction is whether any packets are sent to the target.

How to eliminate wrong answers

Option A is wrong because sending TCP SYN packets and analyzing responses is an active fingerprinting technique, as it involves transmitting packets to the target. Option C is wrong because performing a NULL scan sends TCP packets with no flags set to the target, making it an active reconnaissance method. Option D is wrong because using Nmap with the -O flag sends a series of probes (e.g., TCP SYN, ICMP) to the target to determine the OS, which is an active fingerprinting approach.

40
Multi-Selecthard

During a penetration test, you need to enumerate all DNS records for example.com using a zone transfer. Which TWO tools can be used to attempt this?

Select 2 answers
A.dnsenum
B.dig
C.dnsrecon
D.theHarvester
E.nslookup
AnswersA, C

dnsenum can attempt AXFR zone transfers and enumerate DNS records.

Why this answer

A is correct because dnsenum is a specialized tool designed to enumerate DNS information, including attempting a zone transfer (AXFR query) to retrieve all DNS records for a domain. It automates the process of querying the DNS server for a full zone transfer, which is the primary method to enumerate all records if the server is misconfigured to allow it.

Exam trap

The trap here is that candidates confuse tools that can manually perform a zone transfer (like dig or nslookup) with dedicated enumeration tools that automate the process across multiple nameservers, leading them to select dig or nslookup instead of dnsenum and dnsrecon.

41
MCQhard

You are performing a penetration test and need to quickly scan a large IP range (e.g., 10.0.0.0/8) for open ports 80 and 443. Which tool is BEST suited for this high-speed scanning task?

A.OpenVAS
B.hping3
C.Nmap
D.Masscan
AnswerD

Masscan is optimized for high-speed port scanning over large address spaces.

Why this answer

Masscan is the best tool for this task because it is designed specifically for high-speed port scanning, capable of transmitting packets at rates exceeding 10 million packets per second, which is necessary to scan a /8 subnet (over 16 million IPs) for ports 80 and 443 in a reasonable timeframe. Unlike Nmap, which optimizes for accuracy and service detection, Masscan uses asynchronous raw socket transmission and can be tuned with the --rate parameter to maximize throughput, making it ideal for large-scale reconnaissance.

Exam trap

The trap here is that candidates often choose Nmap because it is the most familiar and versatile scanning tool, but the question specifically emphasizes 'high-speed' scanning of a massive IP range, which is Masscan's unique strength due to its asynchronous raw packet design and ability to achieve millions of packets per second.

How to eliminate wrong answers

Option A is wrong because OpenVAS is a vulnerability scanner that performs deep, slow assessments with authenticated checks and plugin-based testing, not a high-speed port scanner, and would take an impractical amount of time on a /8 range. Option B is wrong because hping3 is a packet crafting tool used for custom TCP/IP testing, firewall auditing, and DoS simulation, but it lacks the asynchronous scanning engine and rate optimization needed to scan millions of IPs quickly. Option C is wrong because while Nmap can scan large ranges with its -T5 timing template, its synchronous scanning model and service/version detection overhead make it significantly slower than Masscan for pure port discovery at scale, and it is not optimized for the extreme packet rates required for a /8 subnet.

42
Multi-Selecthard

A security analyst is conducting passive reconnaissance on a target organization. Which THREE of the following are examples of passive reconnaissance techniques? (Select 3)

Select 3 answers
A.Performing a WHOIS lookup on the target's domain
B.Querying a public DNS resolver cache for the target's mail server records
C.Running an Nmap SYN scan against the target's web server
D.Banner grabbing with Netcat on port 80
E.Using Google dork queries to find exposed documents
AnswersA, B, E

WHOIS queries use public databases, no direct target interaction.

Why this answer

WHOIS queries are a classic passive reconnaissance technique because they retrieve publicly registered domain ownership data from WHOIS databases (e.g., registrar, creation date, name servers) without sending any packets directly to the target's infrastructure. This information is stored by third-party registries and is accessible via standard WHOIS protocol (RFC 3912) or web-based lookup tools, making it completely non-intrusive.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by including techniques that appear passive (like banner grabbing) but actually involve direct interaction with the target's services, leading candidates to mistakenly classify them as passive.

43
Multi-Selecteasy

Which TWO of the following are examples of active reconnaissance? (Select 2)

Select 2 answers
A.Performing a WHOIS lookup
B.Analyzing public social media profiles for employee information
C.Conducting an Nmap SYN scan on the target network
D.Running a Google dork search for sensitive files
E.Using netcat to retrieve a banner from a web server
AnswersC, E

Nmap sends packets directly to the target, making it active.

Why this answer

Option C is correct because an Nmap SYN scan sends raw SYN packets to target ports and analyzes the responses (SYN-ACK for open, RST for closed). This actively probes the target network, generating traffic that can be detected by intrusion detection systems, which is the defining characteristic of active reconnaissance.

Exam trap

The trap here is that candidates often confuse 'publicly available information' (passive) with 'direct interaction' (active), leading them to incorrectly select WHOIS lookups or Google dork searches as active reconnaissance.

44
MCQeasy

During a security assessment, a tester uses Maltego to gather information about a target organization. Which type of reconnaissance is being performed?

A.Passive reconnaissance
B.Active reconnaissance
C.Vulnerability scanning
D.Social engineering
AnswerA

Maltego gathers data from public sources (DNS, social media, etc.) without contacting the target, making it passive.

Why this answer

Maltego is a tool that collects publicly available information from sources like DNS records, WHOIS databases, and social media without directly interacting with the target's systems. This aligns with passive reconnaissance, which relies on open-source intelligence (OSINT) and does not send any packets to the target's network. The CEH defines passive reconnaissance as gathering information without engaging the target, making option A correct.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by presenting tools like Maltego or theHarvester as passive, while candidates mistakenly classify them as active due to the tool's interactive GUI or data aggregation features.

How to eliminate wrong answers

Option B is wrong because active reconnaissance involves direct interaction with the target's systems (e.g., sending probes, port scans, or vulnerability scans), which Maltego does not do by default. Option C is wrong because vulnerability scanning is a form of active reconnaissance that uses tools like Nessus or OpenVAS to identify weaknesses by sending malicious payloads, not OSINT gathering. Option D is wrong because social engineering involves manipulating people to divulge confidential information (e.g., phishing calls or pretexting), which is a separate attack vector not performed by Maltego's automated data mining.

45
MCQmedium

An incident responder notices unusual outbound traffic from a host that is communicating with an external IP on port 4444. The traffic appears to be encrypted. Which tool could be used to initiate a connection to that external IP to gather a banner for service identification?

A.traceroute
B.nslookup
C.Telnet
D.ping
AnswerC

Telnet can connect to a TCP port and often receives a banner.

Why this answer

Telnet can be used to connect to any TCP port, including port 4444, to manually interact with a service and retrieve its banner. Banners often reveal the service name, version, and other identifying information, which is critical for footprinting and reconnaissance. Even though the traffic is encrypted, the initial banner may be sent in cleartext before encryption begins, or the connection attempt itself can reveal the service type.

Exam trap

EC-Council often tests the misconception that Telnet is only for remote terminal access on port 23, but the exam expects you to know Telnet can connect to any TCP port for banner grabbing.

How to eliminate wrong answers

Option A is wrong because traceroute is used to map the network path to a destination by manipulating TTL values, not to connect to a specific port or retrieve a banner. Option B is wrong because nslookup is a DNS query tool used to resolve domain names to IP addresses or query DNS records; it cannot establish a TCP connection to a port. Option D is wrong because ping uses ICMP Echo Request/Reply messages and operates at the network layer; it cannot connect to a TCP port or retrieve application-layer banners.

46
MCQmedium

During a penetration test, you execute `theHarvester -d example.com -b google,linkedin`. What type of data is this tool primarily designed to collect?

A.Password hashes and user credentials from compromised databases
B.Email addresses, subdomains, and employee names from public sources
C.DNS zone transfer information and TXT records
D.Vulnerability scan results from Nessus and OpenVAS
AnswerB

theHarvester uses search engines and social networks to find email addresses, subdomains, and other OSINT data.

Why this answer

TheHarvester is an open-source intelligence (OSINT) tool designed to gather publicly available information from search engines, PGP key servers, and social platforms. The command `-d example.com -b google,linkedin` instructs it to scrape Google and LinkedIn for email addresses, subdomains, and employee names associated with the target domain, which are classic footprinting data used in reconnaissance.

Exam trap

The trap here is that candidates confuse theHarvester's passive OSINT collection with active reconnaissance tools like `dnsrecon` (for zone transfers) or `nmap` (for vulnerability scanning), leading them to select options C or D.

How to eliminate wrong answers

Option A is wrong because theHarvester does not query compromised databases or extract password hashes; that is the domain of tools like Have I Been Pwned or hashcat. Option C is wrong because DNS zone transfer information and TXT records are obtained via `dig` or `nslookup` with specific query types (AXFR, TXT), not through search engine scraping. Option D is wrong because vulnerability scan results from Nessus and OpenVAS are generated by active scanning tools, not by passive OSINT collection performed by theHarvester.

47
MCQmedium

A security analyst is performing reconnaissance on a target domain and wants to discover all subdomains using DNS enumeration. Which of the following commands would be MOST effective for performing a DNS zone transfer attempt?

A.dig example.com ANY
B.nslookup -type=ns example.com
C.theHarvester -d example.com -l 500 -b google
D.dnsrecon -d example.com -t axfr
AnswerD

dnsrecon with -t axfr specifically attempts a zone transfer. However, dig is also common. Among options, dnsrecon is correct and typical.

Why this answer

Option D is correct because the `-t axfr` flag in `dnsrecon` specifically attempts a DNS zone transfer (AXFR query) against the target domain's authoritative nameservers. A successful zone transfer returns all DNS records, including all subdomains, making it the most direct and effective method for subdomain enumeration via DNS zone transfer.

Exam trap

The trap here is that candidates often confuse general DNS queries (like `dig ANY` or `nslookup -type=ns`) with the specific zone transfer request (AXFR), assuming any DNS enumeration command can retrieve the full zone file.

How to eliminate wrong answers

Option A is wrong because `dig example.com ANY` queries for all record types but does not attempt a zone transfer; it only returns cached or non-authoritative data, not the full zone. Option B is wrong because `nslookup -type=ns example.com` only retrieves the nameserver records for the domain, not the entire zone file; it does not perform a zone transfer. Option C is wrong because `theHarvester -d example.com -l 500 -b google` uses search engines (Google) to gather subdomains via public sources, not DNS zone transfer; it relies on passive reconnaissance rather than direct DNS enumeration.

48
MCQmedium

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform a UDP scan on the four specified ports and identify running services
B.Perform an aggressive scan of all open ports and enumerate SMB shares
C.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
D.Perform a full TCP connect scan with UDP service detection on all ports
AnswerC

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option C is correct because the command uses the -sS flag for a TCP SYN scan (stealth scan), -sV for service version detection, and -O for OS fingerprinting, targeting only the four specified ports (22, 80, 443, 3389) across the 192.168.1.0/24 subnet. This combination performs a half-open TCP scan on those ports, probes open ports to identify service versions, and attempts to determine the operating system based on TCP/IP stack responses.

Exam trap

The trap here is that candidates often confuse the -sS (SYN scan) with -sT (TCP connect scan) or -sU (UDP scan), and they may incorrectly assume that -sV and -O automatically scan all ports or perform additional enumeration like SMB sharing, when in fact the port range is explicitly limited by the -p option.

How to eliminate wrong answers

Option A is wrong because -sS specifies a TCP SYN scan, not a UDP scan; a UDP scan would use -sU, and the command does not include that flag. Option B is wrong because while -sV and -O make the scan somewhat aggressive, the command does not enumerate SMB shares (which would require scripts like smb-enum-shares via -sC or --script), and it only scans four specific ports, not all open ports. Option D is wrong because -sS is a SYN scan, not a full TCP connect scan (which would use -sT), and there is no UDP service detection (which would require -sU); also, the scan is limited to four ports, not all ports.

49
MCQmedium

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform a full TCP connect scan with UDP service detection on all ports
B.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
C.Perform an aggressive scan of all open ports and enumerate SMB shares
D.Perform a UDP scan on the four specified ports and identify running services
AnswerB

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option B is correct because the `-sS` flag initiates a TCP SYN stealth scan, `-sV` enables service version detection, and `-O` attempts OS fingerprinting. The `-p 22,80,443,3389` limits the scan to those four ports, and the target `192.168.1.0/24` scans the entire Class C subnet. This combination performs a half-open scan on the specified ports, probes for application versions, and tries to identify the operating system of each live host.

Exam trap

The trap here is that candidates confuse `-sS` (SYN scan) with a full connect scan (`-sT`) or mistakenly think `-sV` and `-O` imply an aggressive scan (`-A`), which also includes default scripts and traceroute.

How to eliminate wrong answers

Option A is wrong because `-sS` performs a TCP SYN scan (half-open), not a full TCP connect scan (`-sT`), and the command does not include UDP scanning (`-sU`) or scan all ports (only four are specified). Option C is wrong because the command does not use the `-A` flag (aggressive scan) and does not include any SMB enumeration flags like `--script smb-enum-shares`. Option D is wrong because `-sS` is a TCP SYN scan, not a UDP scan (`-sU`), and while `-sV` identifies services, it does so over TCP, not UDP.

50
MCQeasy

Which of the following tools is specifically designed to perform fast internet-wide scanning, often used in the reconnaissance phase to discover open ports across large IP ranges?

A.hping3
B.OpenVAS
C.Masscan
D.Nmap
AnswerC

Masscan is designed for high-speed scanning of large address spaces.

Why this answer

Masscan is specifically designed for high-speed, asynchronous scanning of large IP ranges, capable of transmitting packets at rates exceeding 10 million packets per second. This makes it the optimal tool for internet-wide reconnaissance to discover open ports across vast address spaces, a task for which Nmap is too slow and hping3 is too manual.

Exam trap

The trap here is that candidates often choose Nmap because it is the most famous scanning tool, but the question specifically asks for a tool designed for 'fast internet-wide scanning,' which is Masscan's unique selling point over Nmap's slower, more thorough approach.

How to eliminate wrong answers

Option A is wrong because hping3 is a packet crafting and manipulation tool used for custom TCP/IP testing and firewall auditing, not for high-speed internet-wide scanning. Option B is wrong because OpenVAS is a vulnerability scanner that performs deep analysis on a targeted set of hosts, not a tool designed for rapid, large-scale port discovery. Option D is wrong because while Nmap is a powerful and versatile scanner, its synchronous scanning engine is too slow for scanning the entire internet; Masscan was explicitly created to fill this performance gap.

51
Multi-Selecteasy

Which TWO of the following are considered passive reconnaissance techniques? (Choose TWO.)

Select 2 answers
A.Ping sweep
B.WHOIS lookup
C.Banner grabbing with Telnet
D.Port scanning
E.Google dorking
AnswersB, E

WHOIS queries public databases, no interaction with target.

Why this answer

WHOIS lookup is a passive reconnaissance technique because it queries public domain registration databases (via WHOIS protocol, RFC 3912) to obtain information such as registrar, registrant contact details, name servers, and expiration dates. This process does not send any packets directly to the target's infrastructure; instead, it relies on third-party data sources, making it undetectable by the target.

Exam trap

The trap here is that candidates often confuse 'passive' with 'low-noise' techniques, mistakenly thinking a ping sweep or banner grabbing is passive because it doesn't exploit vulnerabilities, but any technique that sends packets to the target's systems is active by definition.

52
MCQhard

You are investigating a suspected data exfiltration. Network logs show an internal host performing numerous DNS queries to a domain that does not exist in any organization records. The queries use various subdomains. Which technique is the attacker MOST likely using?

A.DNS amplification attack
B.DNS cache poisoning
C.DNS zone transfer
D.DNS tunneling
AnswerD

DNS tunneling uses DNS queries to exfiltrate data.

Why this answer

The attacker is most likely using DNS tunneling, which encodes data from exfiltrated information into DNS queries and responses. By making numerous DNS queries to a domain they control, with data encoded in the subdomain labels, the attacker can bypass network security controls that do not inspect DNS traffic deeply. The fact that the domain does not exist in organization records and uses various subdomains is a classic indicator of DNS tunneling.

Exam trap

The trap here is that candidates confuse DNS tunneling with DNS amplification attacks because both involve many DNS queries, but amplification is a DDoS technique focused on volume, not covert data exfiltration via subdomain encoding.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack is a volumetric DDoS technique that uses open resolvers to flood a victim with large DNS responses, not to exfiltrate data via subdomain queries. Option B is wrong because DNS cache poisoning corrupts a resolver's cache with forged records to redirect traffic, not to exfiltrate data through numerous subdomain queries. Option C is wrong because a DNS zone transfer is a legitimate mechanism to replicate DNS records between authoritative servers, typically using TCP port 53 and the AXFR query type, not a method for data exfiltration via subdomain queries.

53
MCQeasy

What is the PRIMARY purpose of performing a DNS zone transfer?

A.To cache DNS queries locally
B.To obtain all DNS records for a domain from an authoritative server
C.To resolve IP addresses to hostnames
D.To verify the DNS server's response time
AnswerB

Zone transfer provides a complete list of DNS records, which is valuable for mapping a network.

Why this answer

DNS zone transfer (AXFR) is a mechanism defined in RFC 1034 and 1035 that allows a secondary DNS server to replicate the entire zone file from a primary authoritative server. The primary purpose is to obtain all DNS records for a domain, which is critical for reconnaissance during the footprinting phase, as it reveals subdomains, mail servers, and other infrastructure without brute-forcing.

Exam trap

EC-Council often tests the distinction between a zone transfer (full record replication) and a standard DNS query (single record lookup), so candidates mistakenly choose option C because they confuse reverse lookup with the bulk data retrieval of AXFR.

How to eliminate wrong answers

Option A is wrong because caching DNS queries locally is the function of a DNS resolver or caching server, not the purpose of a zone transfer; zone transfers replicate authoritative records, not cached queries. Option C is wrong because resolving IP addresses to hostnames is a reverse DNS lookup (PTR record query), which is a separate operation from a zone transfer that copies the entire forward zone. Option D is wrong because verifying the DNS server's response time is a performance check (e.g., using dig +stats), not a function of zone transfers, which are about data replication.

54
Multi-Selecthard

Which THREE of the following are common countermeasures to prevent DNS zone transfers from being abused? (Choose THREE.)

Select 3 answers
A.Enable DNS recursion on the name server
B.Restrict zone transfers to only specific authorized secondary name servers
C.Implement split DNS (internal vs external views)
D.Use Transaction Signatures (TSIG) to authenticate zone transfer requests
E.Configure the name server to allow zone transfers from any host
AnswersB, C, D

Limits who can request a zone transfer.

Why this answer

Option B is correct because restricting zone transfers to only specific authorized secondary name servers prevents unauthorized hosts from requesting a full copy of the DNS zone data. This is a fundamental access control measure that limits the AXFR query to trusted IP addresses, thereby mitigating information leakage during reconnaissance.

Exam trap

The trap here is that candidates often confuse enabling recursion (Option A) with a security measure, when in fact recursion is unrelated to zone transfer control and can introduce other vulnerabilities.

55
MCQeasy

Which Nmap flag is used to perform a TCP SYN scan without completing the three-way handshake?

A.-sS
B.-sT
C.-sU
D.-sA
AnswerA

-sS is the SYN stealth scan.

Why this answer

The -sS flag instructs Nmap to perform a TCP SYN scan, which sends a SYN packet to the target port and, upon receiving a SYN/ACK response, sends an RST packet instead of completing the three-way handshake with an ACK. This allows the scanner to determine port states without establishing a full TCP connection, making it faster and less detectable than a full connect scan.

Exam trap

The trap here is that candidates often confuse -sS (SYN scan) with -sT (TCP connect scan), mistakenly thinking that -sT also avoids completing the handshake, when in fact -sT completes the full three-way handshake and is logged by the target system.

How to eliminate wrong answers

Option B (-sT) is wrong because it performs a full TCP connect scan, which completes the three-way handshake by sending the final ACK, making it more detectable and slower. Option C (-sU) is wrong because it performs a UDP scan, which sends UDP packets and does not involve the TCP three-way handshake at all. Option D (-sA) is wrong because it performs a TCP ACK scan, which sends packets with the ACK flag set to map firewall rules, not to determine open ports via SYN responses.

56
MCQmedium

A penetration tester is performing reconnaissance and wants to identify email addresses associated with a target domain. Which tool is specifically designed for this purpose?

A.Nmap
B.theHarvester
C.Shodan
D.Maltego
AnswerB

theHarvester is designed to harvest emails and other data from public sources.

Why this answer

TheHarvester is specifically designed for passive reconnaissance to gather email addresses, subdomains, and other open-source intelligence (OSINT) from public sources like search engines, PGP key servers, and the SHODAN database. It directly queries these sources to extract email addresses associated with a target domain, making it the correct tool for this task.

Exam trap

The trap here is that candidates often confuse Shodan (a device search engine) with a tool for email harvesting, or they assume Maltego's broad OSINT capabilities make it the best choice, but theHarvester is the only option specifically designed for automated email address extraction from public sources.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for port scanning, service detection, and OS fingerprinting, not for harvesting email addresses from public sources. Option C is wrong because Shodan is a search engine for internet-connected devices and services, not a tool for extracting email addresses from a target domain. Option D is wrong because Maltego is a graphical link analysis tool for relationship mapping and OSINT, but it is not specifically designed for automated email harvesting; it requires manual configuration and transforms, whereas theHarvester is purpose-built for this task.

57
MCQhard

During a security assessment, you execute: dnsenum --enum example.com. The tool returns results including the nameservers (NS), mail servers (MX), and performs a zone transfer attempt. The zone transfer fails. What is the MOST likely reason for the failure?

A.The DNS server is not running
B.The zone transfer requires TCP port 443
C.The DNS server is configured to deny zone transfers from unauthorized hosts
D.The domain does not exist
AnswerC

This is the standard security configuration for DNS servers.

Why this answer

Option C is correct because DNS zone transfers (AXFR) are typically restricted by default on authoritative DNS servers to prevent unauthorized disclosure of the entire zone file. The `dnsenum` tool attempts an AXFR query over TCP port 53, and the failure indicates the server explicitly denied the request, which is a standard security configuration per RFC 5936.

Exam trap

The trap here is that candidates may confuse the port used for zone transfers (TCP 53) with the standard DNS query port (UDP 53) or mistakenly think a failed zone transfer implies the server is down or the domain is invalid, rather than recognizing it as a deliberate security control.

How to eliminate wrong answers

Option A is wrong because if the DNS server were not running, the tool would not have returned NS and MX records; a non-responsive server would cause a timeout or connection error, not a specific zone transfer failure. Option B is wrong because zone transfers use TCP port 53, not TCP port 443 (which is used for HTTPS). Option D is wrong because the tool successfully resolved the domain (returning NS and MX records), proving the domain exists and is properly configured.

58
Multi-Selectmedium

A penetration tester wants to perform DNS zone transfer enumeration. Which TWO of the following tools can be used for this purpose? (Select exactly 2.)

Select 2 answers
A.Shodan
B.Maltego
C.theHarvester
D.dnsrecon
E.dnsenum
AnswersD, E

dnsrecon can perform zone transfers as part of its enumeration.

Why this answer

Dnsrecon is a dedicated DNS enumeration tool that supports zone transfer requests (AXFR queries) to retrieve all DNS records from a nameserver if it is misconfigured to allow transfers from any host. It can also perform other DNS reconnaissance tasks such as SRV record enumeration and subdomain brute-forcing, making it a direct choice for zone transfer enumeration.

Exam trap

EC-Council often tests the distinction between passive reconnaissance tools (theHarvester, Maltego) and active DNS enumeration tools (dnsrecon, dnsenum) that directly query DNS servers for zone transfers, leading candidates to select tools that gather DNS data indirectly rather than performing the actual AXFR request.

59
Multi-Selecthard

Which THREE of the following are valid DNS record types that an attacker might query during reconnaissance to gather information about a target domain? (Select 3)

Select 3 answers
A.FTP (file transfer)
B.A (IPv4 address)
C.NS (name server)
D.HTTP (hypertext transfer)
E.MX (mail exchange)
AnswersB, C, E

A records map hostnames to IP addresses, revealing the target's IP.

Why this answer

The A record maps a domain name to an IPv4 address, which is fundamental for locating a target server. During reconnaissance, querying A records reveals the IP address of the target domain, enabling further scanning and attack planning. This is a standard DNS query type defined in RFC 1035.

Exam trap

EC-Council often tests the distinction between DNS record types and application-layer protocols, so candidates mistakenly select FTP or HTTP because they are common network services, but they are not valid DNS resource records.

60
Multi-Selectmedium

Which THREE of the following are examples of OSINT techniques? (Choose 3)

Select 3 answers
A.Nmap version detection
B.Shodan search
C.Maltego graph analysis
D.Nessus vulnerability scan
E.Google dorking
AnswersB, C, E

Shodan is an OSINT search engine for devices.

Why this answer

Shodan is a search engine for internet-connected devices, allowing users to discover open ports, services, and banners without directly interacting with the target. This is a classic OSINT technique because it gathers publicly available information from external sources, not from active scanning of the target's own infrastructure.

Exam trap

EC-Council often tests the distinction between active and passive reconnaissance, and the trap here is that candidates confuse tools that can be used for both (like Nmap) with OSINT, forgetting that OSINT specifically excludes any direct interaction with the target system.

61
MCQmedium

A security analyst runs `nmap -sU -p 161,162 10.0.0.1` and receives output showing port 161/udp is open. Which service is MOST likely running on this port?

A.DHCP
B.SNMP
C.TFTP
D.DNS
AnswerB

SNMP uses UDP ports 161 (agent) and 162 (manager).

Why this answer

Port 161/udp is the default port for SNMP (Simple Network Management Protocol) used by SNMP agents to receive management queries (GET, SET) from SNMP managers. The `-sU` flag performs a UDP scan, and the open result on 161/udp strongly indicates an SNMP service is listening, as defined in RFC 1157.

Exam trap

The trap here is that candidates often confuse SNMP's port 161 with SNMP trap port 162 or misattribute it to other UDP-based services like DHCP or TFTP, but the scan specifically targets 161, which is exclusively SNMP.

How to eliminate wrong answers

Option A is wrong because DHCP uses ports 67/udp (server) and 68/udp (client), not 161 or 162. Option C is wrong because TFTP uses port 69/udp, not 161 or 162. Option D is wrong because DNS uses port 53/udp (and tcp), not 161 or 162.

62
MCQeasy

Which command-line tool is specifically designed to extract email addresses, subdomains, and other information from public sources (e.g., search engines, social media) for a given domain?

A.Metasploit
B.Nmap
C.theHarvester
D.Wireshark
AnswerC

theHarvester is designed for passive information gathering from public sources.

Why this answer

theHarvester is a dedicated open-source intelligence (OSINT) tool designed to gather emails, subdomains, IPs, and employee names from public sources such as Google, Bing, LinkedIn, and PGP key servers. It specifically targets a given domain and queries search engines and social media APIs to extract this reconnaissance data, making it the correct choice for this task.

Exam trap

The trap here is that candidates may confuse theHarvester with Nmap or Metasploit because all three are used in reconnaissance, but only theHarvester specializes in passive OSINT gathering from public sources rather than active scanning or exploitation.

How to eliminate wrong answers

Option A is wrong because Metasploit is a penetration testing framework focused on exploit development and payload delivery, not passive information gathering from public sources. Option B is wrong because Nmap is a network scanning tool that discovers live hosts and open ports via raw packet probes, not designed to extract email addresses or subdomains from search engines. Option D is wrong because Wireshark is a packet analyzer that captures and inspects network traffic at the data-link layer, not a tool for querying public sources for domain-related information.

63
MCQmedium

A penetration tester runs the following command: masscan 10.0.0.0/24 -p80,443,8080 --rate=10000. Compared to Nmap, what is the PRIMARY advantage of using Masscan for this scan?

A.Masscan can scan a large number of hosts and ports at very high speed
B.Masscan provides more detailed service version detection than Nmap
C.Masscan is stealthier than Nmap and less likely to be detected
D.Masscan can scan all 65535 ports faster than Nmap
AnswerA

Masscan's main advantage is its speed. It can scan large ranges quickly, as indicated by the high rate.

Why this answer

Masscan is designed for asynchronous, high-speed scanning, capable of transmitting packets at rates exceeding 10 million packets per second. In this command, the `--rate=10000` parameter sets a transmission rate of 10,000 packets per second, allowing it to scan the entire 10.0.0.0/24 subnet (256 hosts) for three ports in a fraction of the time Nmap would require. Nmap, while feature-rich, operates synchronously by default and cannot match Masscan's raw packet throughput for large-scale port scanning.

Exam trap

EC-Council often tests the misconception that Masscan is stealthier than Nmap, but in reality, its high packet rate makes it more detectable, and the trap here is that candidates confuse speed with stealth.

How to eliminate wrong answers

Option B is wrong because Masscan does not perform service version detection; it is a raw port scanner that only identifies open ports, whereas Nmap's `-sV` flag provides detailed service and version fingerprinting. Option C is wrong because Masscan is not inherently stealthier; its high-speed, asynchronous scanning often generates more conspicuous traffic patterns and can trigger IDS/IPS alerts more easily than Nmap's slower, more deliberate scans. Option D is wrong because while Masscan can scan all 65535 ports faster than Nmap, the question specifically asks about the PRIMARY advantage for the given command (which targets only three ports), and the core advantage is its high-speed scanning capability across many hosts, not just port range coverage.

64
Multi-Selectmedium

Which TWO of the following are examples of passive OS fingerprinting techniques? (Select 2)

Select 2 answers
A.Performing a SYN scan on the target
B.Analyzing the initial TTL value of received IP packets
C.Sending a series of TCP packets with different flags and analyzing responses
D.Inspecting the TCP window size in SYN packets
E.Using the telnet command to connect to port 80
AnswersB, D

Different OSes use default TTL values; observing this helps identify the OS passively.

Why this answer

Option B is correct because passive OS fingerprinting involves observing network traffic without sending any packets to the target. Analyzing the initial TTL value of received IP packets is a classic passive technique: different operating systems set specific default TTL values (e.g., Windows uses 128, Linux uses 64, Cisco IOS uses 255), allowing an attacker to infer the OS without direct interaction.

Exam trap

The trap here is that candidates confuse passive fingerprinting (observing existing traffic) with active fingerprinting (sending crafted packets), leading them to select options like SYN scans or flag-based probes as passive techniques.

65
Multi-Selecthard

Which THREE of the following Nmap flags are commonly used for evasion techniques? (Select 3)

Select 3 answers
A.-f
B.-D
C.--mtu
D.-O
E.-sV
AnswersA, B, C

Fragmenting packets can help evade simple IDS/firewall rules.

Why this answer

The -f flag fragments the probe packets into smaller 8-byte fragments (or less, depending on the MTU). This helps evade simple packet-filtering firewalls and intrusion detection systems that do not reassemble fragments before applying rules, as the fragmented headers may bypass signature-based detection.

Exam trap

EC-Council often tests the distinction between scanning techniques (like -O and -sV) and evasion techniques (like -f, -D, --mtu), so candidates mistakenly select -O or -sV because they are common Nmap flags, even though they serve reconnaissance, not evasion.

66
MCQmedium

Which of the following Nmap flags would an attacker use to evade IDS by sending fragmented IP packets?

A.-D
B.-g
C.-sS
D.-f
AnswerD

-f causes packet fragmentation to evade detection.

Why this answer

The -f flag in Nmap instructs the tool to fragment the transmitted packets into smaller pieces (typically 8-byte fragments). This fragmentation is used to evade Intrusion Detection Systems (IDS) that rely on signature matching against complete, unfragmented packets, as the IDS may not reassemble the fragments before inspection or may fail to detect the malicious payload when spread across multiple fragments.

Exam trap

The trap here is that candidates often confuse the -f flag with the -D (decoy) flag, thinking both are used for evasion, but -f specifically targets packet fragmentation to bypass IDS, while -D hides the source IP.

How to eliminate wrong answers

Option A (-D) is wrong because the -D flag is used for decoy scanning, which spoofs multiple source IP addresses to hide the attacker's real IP, not to fragment packets. Option B (-g) is wrong because the -g flag sets a custom source port number for the scan, often to bypass firewall rules that allow traffic from specific ports (e.g., port 53 for DNS), and has nothing to do with fragmentation. Option C (-sS) is wrong because -sS performs a TCP SYN stealth scan, which sends SYN packets without completing the handshake to avoid connection logging, but it does not involve IP fragmentation.

67
MCQmedium

A security analyst receives an alert about a scan originating from an IP address that appears to be using a 'sIdle scan' technique. Which of the following characteristics would confirm this?

A.The scan uses fragmented packets and decoy IP addresses
B.The scan uses FTP bounce to hide the true source IP
C.The scan sends SYN packets with the zombie host's IP address as the source and monitors IPID changes on the zombie to determine open ports
D.The scan shows a SYN packet with the attacker's real IP but uses a zombie host to relay replies
AnswerC

This correctly describes the idle scan technique: spoofing the zombie's IP and observing IPID increments to infer port states.

Why this answer

Option C is correct because an idle scan (also known as a zombie scan) relies on sending SYN packets to the target with the spoofed source IP address of a zombie host, then monitoring the IPID sequence on that zombie to infer whether the target port is open, closed, or filtered. The key characteristic is the use of the zombie's IP as the source and the observation of IPID changes on the zombie, which is exactly what option C describes.

Exam trap

The trap here is that candidates often confuse the idle scan with other spoofing or relay techniques like FTP bounce or decoy scans, but the idle scan is uniquely defined by the use of a zombie host's IPID changes to infer port states, not by hiding the attacker's IP via relays or multiple decoys.

How to eliminate wrong answers

Option A is wrong because fragmented packets and decoy IP addresses are features of a fragmented scan or a decoy scan, not an idle scan; idle scan does not use fragmentation or multiple decoy IPs. Option B is wrong because FTP bounce is a separate technique that uses an FTP server to relay traffic and hide the true source, but it does not involve monitoring IPID changes on a zombie host. Option D is wrong because an idle scan does not send SYN packets with the attacker's real IP; the attacker's IP is never used in the probe packets—the zombie's IP is used as the source, and the zombie does not relay replies; instead, the attacker monitors the zombie's IPID to infer port states.

68
MCQeasy

Which of the following tools is specifically designed for high-speed port scanning across large address spaces?

A.Masscan
B.Zenmap
C.hping3
D.Nmap
AnswerA

Masscan is designed for high-speed scanning, capable of millions of packets per second.

Why this answer

Masscan is specifically designed for high-speed port scanning across large address spaces, capable of transmitting packets at rates exceeding 10 million packets per second. It achieves this by using asynchronous transmission and a custom TCP/IP stack, making it ideal for scanning the entire IPv4 internet or massive subnets in minutes, unlike general-purpose scanners that prioritize accuracy over raw speed.

Exam trap

The trap here is that candidates often assume Nmap is the fastest scanning tool because of its popularity and extensive feature set, but Masscan is explicitly engineered for raw speed at the cost of some accuracy, which is the key differentiator tested in this question.

How to eliminate wrong answers

Option B (Zenmap) is wrong because it is merely a graphical front-end for Nmap, not a standalone high-speed scanner; it inherits Nmap's slower, more thorough scanning approach. Option C (hping3) is wrong because it is a packet crafting and testing tool focused on custom packet generation and firewall testing, not optimized for high-speed port scanning across large address spaces. Option D (Nmap) is wrong because while it is a powerful and versatile scanner, it is designed for detailed, reliable scans with features like service detection and OS fingerprinting, and its default scanning methods are significantly slower than Masscan's asynchronous approach.

69
MCQmedium

A security analyst wants to perform banner grabbing on a web server without establishing a full TCP connection. Which tool would be MOST appropriate?

A.Telnet
B.Wireshark
C.Nmap with -sT
D.Netcat
AnswerD

Netcat can open a TCP connection and receive the banner, though it completes the handshake.

Why this answer

Netcat (option D) is the most appropriate tool for banner grabbing without establishing a full TCP connection because it can send a raw TCP SYN packet and then immediately read the server's response banner without completing the three-way handshake. By using the `-z` flag for zero I/O mode, Netcat performs a simple port probe that captures the initial banner data, which is often sent by services like HTTP or FTP before the handshake finishes. This avoids the overhead of a full connection and minimizes the footprint on the target.

Exam trap

The trap here is that candidates often confuse Netcat with Telnet or assume that any Nmap scan type (like -sT) is suitable for banner grabbing, but the question specifically requires avoiding a full TCP connection, which only a tool capable of half-open scanning (like Netcat with -z) can achieve.

How to eliminate wrong answers

Option A (Telnet) is wrong because Telnet establishes a full TCP connection via a three-way handshake and then waits for user input, which defeats the purpose of avoiding a full connection; it also cannot perform banner grabbing without completing the handshake. Option B (Wireshark) is wrong because it is a passive packet capture and analysis tool that cannot initiate connections or perform banner grabbing; it can only observe traffic that is already flowing. Option C (Nmap with -sT) is wrong because the -sT flag performs a full TCP connect scan, which completes the three-way handshake, exactly what the analyst wants to avoid; a stealth SYN scan (-sS) would be more appropriate for banner grabbing without a full connection.

70
MCQhard

During a penetration test, a tester uses Nmap with the command: nmap -sS -D RND:10 192.168.1.100. After the scan, the IDS logs show multiple SYN packets from different source IPs hitting the target. However, the tester's true IP is not among them. Which of the following techniques is being used?

A.Idle scan
B.SYN flood
C.Decoy scan
D.Fragmentation attack
AnswerC

The -D flag specifies decoy IPs. RND:10 generates random decoys. This hides the real source by making it appear from multiple IPs.

Why this answer

The command `nmap -sS -D RND:10` performs a SYN stealth scan with 10 randomly generated decoy IP addresses. The IDS logs show multiple SYN packets from different source IPs, but the tester's true IP is not among them because Nmap sends the decoy packets with spoofed source addresses while the real scan packet is interleaved among them. This is the definition of a decoy scan, which aims to obscure the attacker's true origin by blending it with fake sources.

Exam trap

The trap here is confusing decoy scans with idle scans, as both involve spoofed IPs, but idle scans require a zombie host and IPID manipulation, while decoy scans simply flood the target with fake sources to hide the real one.

How to eliminate wrong answers

Option A is wrong because an idle scan (nmap -sI) uses a zombie host to bounce scan traffic off, relying on IPID sequence analysis, not multiple random source IPs. Option B is wrong because a SYN flood is a denial-of-service attack that sends a high volume of SYN packets to overwhelm the target, not a stealth scanning technique to hide the tester's IP. Option D is wrong because a fragmentation attack (nmap -f) splits packets into smaller fragments to evade IDS/IPS signature detection, but does not spoof source IPs or use decoys.

71
MCQhard

A security analyst notices that their Nmap scan results show all ports as 'filtered' despite the target host being alive and responsive to ping. Which of the following is the MOST likely cause?

A.The analyst's machine has a misconfigured routing table
B.The target has a host-based firewall that drops all incoming traffic silently
C.The target is running a honeypot that mimics multiple services
D.The target is an idle host that does not respond to any traffic
AnswerB

A stateful firewall dropping packets without sending RST or ICMP unreachable leads to filtered port status.

Why this answer

When an Nmap scan shows all ports as 'filtered', it indicates that the target is reachable (since ping succeeds) but the probe packets (e.g., SYN, ACK) are being dropped without any response. A host-based firewall configured to silently drop all incoming traffic is the most likely cause, as it prevents Nmap from receiving RST or SYN/ACK replies, leading to the 'filtered' state for every port.

Exam trap

The trap here is that candidates often confuse 'filtered' with 'closed' or 'open', or assume a host that responds to ping must have open ports, but a firewall can silently drop all inbound TCP/UDP probes while still allowing ICMP echo requests.

How to eliminate wrong answers

Option A is wrong because a misconfigured routing table on the analyst's machine would likely cause no response at all (including ping failure) or asymmetric routing issues, not a consistent 'filtered' state on all ports while ping succeeds. Option C is wrong because a honeypot mimicking multiple services would typically respond to probes (e.g., with SYN/ACK or banners) to attract attackers, resulting in 'open' or 'closed' port states, not 'filtered'. Option D is wrong because an idle host that does not respond to any traffic would not respond to ping either, contradicting the scenario where the target is alive and responsive to ping.

72
Multi-Selectmedium

Which TWO techniques are considered active reconnaissance? (Choose TWO.)

Select 2 answers
A.Using Google dorking to find exposed files
B.Querying Shodan for exposed devices
C.Port scanning with Nmap
D.Banner grabbing with Netcat
E.Performing a WHOIS lookup
AnswersC, D

Port scanning sends probes to the target, making it active.

Why this answer

Port scanning with Nmap (Option C) is active reconnaissance because it sends crafted packets (e.g., TCP SYN, UDP probes) directly to target systems and analyzes the responses to determine open ports, running services, and operating system details. Banner grabbing with Netcat (Option D) is also active reconnaissance as it establishes a TCP connection to a target service (e.g., HTTP, FTP) and reads the service banner, which involves direct interaction with the target. Both techniques generate detectable network traffic and can be logged by intrusion detection systems.

Exam trap

The trap here is that candidates confuse 'using a tool that sometimes performs active scanning' (like Shodan, which actively scans on its own) with the user's action being active; the key distinction is whether the user's query directly interacts with the target system.

73
MCQeasy

A security analyst wants to identify all live hosts on a network without generating excessive traffic. Which of the following techniques is MOST appropriate for this purpose?

A.Banner grabbing with Netcat
B.Full TCP connect scan on all ports
C.UDP scan on common ports
D.Ping sweep using ICMP echo requests
AnswerD

Ping sweep sends ICMP echo requests to multiple IPs; replies indicate live hosts. It is efficient and low-traffic.

Why this answer

A ping sweep using ICMP Echo Requests (Type 8) is the most efficient method to identify live hosts on a network because it sends a single packet per target and listens for ICMP Echo Replies (Type 0). This generates minimal traffic compared to full port scans, making it ideal for initial reconnaissance without overwhelming the network or triggering intrusion detection systems.

Exam trap

The trap here is that candidates often confuse host discovery with service discovery, choosing a port-based scan (like TCP connect or UDP) because they think 'scanning' always involves ports, but the question explicitly asks for identifying live hosts with minimal traffic, which is the textbook purpose of a ping sweep.

How to eliminate wrong answers

Option A is wrong because banner grabbing with Netcat requires an active TCP connection to a specific port on a host, which is a post-discovery technique used to identify services, not to find live hosts, and it generates more traffic per host than a simple ping. Option B is wrong because a full TCP connect scan on all 65,535 ports per host would generate massive traffic (thousands of packets per host), defeating the goal of minimizing network load and being easily detected. Option C is wrong because a UDP scan on common ports sends datagrams that often receive no response (due to stateless nature or firewalls), making it unreliable for host discovery and still generating more traffic than a single ICMP packet per host.

74
MCQhard

A security analyst observes that an Nmap SYN scan against a target network returns all ports as 'filtered'. The analyst suspects an IDS/IPS is dropping inbound SYN packets. Which Nmap technique would MOST likely bypass this detection while still identifying open ports?

A.Enable IP fragmentation with the -f flag
B.Use the -sU flag for UDP scanning
C.Use the -sT flag for a TCP connect scan
D.Increase scanning speed with -T5
AnswerA

Fragmentation can help evade detection by splitting the SYN packet across multiple fragments.

Why this answer

When an IDS/IPS drops inbound SYN packets, a standard SYN scan (-sS) is detected because the probe packets are easily recognized. Enabling IP fragmentation with the -f flag splits the TCP header across multiple fragments, making it harder for the IDS/IPS to reassemble and inspect the full packet, thus potentially bypassing the filter while still allowing Nmap to determine open ports based on responses.

Exam trap

The trap here is that candidates often think increasing speed (-T5) or using a full connect scan (-sT) makes scanning stealthier, when in fact fragmentation (-f) is the classic evasion technique for bypassing packet filters and IDS/IPS that inspect full packets.

How to eliminate wrong answers

Option B is wrong because UDP scanning (-sU) sends UDP datagrams, not SYN packets, and would not bypass a filter that drops inbound SYN packets; it also does not help identify open TCP ports. Option C is wrong because a TCP connect scan (-sT) completes the full three-way handshake, which still uses SYN packets and is even more detectable than a SYN scan, not less. Option D is wrong because increasing scanning speed with -T5 makes the scan more aggressive and noisy, which is more likely to trigger IDS/IPS alerts rather than bypass them.

75
MCQmedium

During a security assessment, a tester uses Netcat to connect to a target's SMTP port and receive the service banner. Which command would achieve this?

A.nc -z <target> 25
B.nc -l -p 25
C.nc -u <target> 25
D.nc -v <target> 25
AnswerD

This connects to the target on port 25 and displays the banner.

Why this answer

Option D is correct because the `-v` (verbose) flag in Netcat causes it to display connection details, including the service banner received from the target. When connecting to SMTP port 25, the server typically sends a banner (e.g., "220 smtp.example.com ESMTP") immediately upon TCP connection establishment, and `nc -v <target> 25` prints that banner to stdout, allowing the tester to read it.

Exam trap

The trap here is that candidates often confuse the `-v` flag with `-z` or `-u`, mistakenly thinking that a simple connection (without verbose) or a UDP scan would reveal the banner, but only `-v` ensures the received data is printed to the terminal.

How to eliminate wrong answers

Option A is wrong because `nc -z` performs a zero-I/O scan (port scanning without sending data) and does not read or display any banner; it only reports whether the port is open. Option B is wrong because `nc -l -p 25` puts Netcat in listening mode on port 25, which would make the tester's machine act as an SMTP server, not connect to a target's SMTP port. Option C is wrong because `-u` specifies UDP mode, but SMTP operates over TCP (RFC 5321), so a UDP connection to port 25 would not establish a valid SMTP session or receive a banner.

Page 1 of 3 · 155 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Footprinting, Reconnaissance and Scanning questions.