CCNA Footprinting and Reconnaissance Questions

18 questions · Footprinting and Reconnaissance · All types, answers revealed

1
MCQeasy

An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?

A.Run a traceroute to the main domain
B.Check the WHOIS record for the domain
C.Use the site: operator in search engines
D.Perform a reverse DNS lookup on the target IP range
AnswerC

Search engines index subdomains.

Why this answer

The `site:` operator in search engines (e.g., Google) allows an ethical hacker to enumerate publicly indexed subdomains of a target domain by querying `site:*.targetdomain.com`. This technique leverages the search engine's crawl data to discover subdomains that are publicly accessible but may not be linked from the main site, making it the most effective method for passive, public-information-only reconnaissance.

Exam trap

EC-Council often tests the misconception that WHOIS records contain subdomain information, but WHOIS only holds domain registration data, not DNS resource records like A or CNAME entries for subdomains.

How to eliminate wrong answers

Option A is wrong because traceroute (using ICMP or UDP probes) reveals the network path and intermediate routers, not subdomains; it operates at Layer 3 and does not query DNS records or web indexes. Option B is wrong because WHOIS records contain registration details (registrant, name servers, dates) but do not list subdomains; they are used for domain ownership and administrative information, not DNS enumeration. Option D is wrong because reverse DNS lookup (PTR records) maps IP addresses to hostnames, but it requires knowing the target IP range and only reveals hostnames that have PTR records configured, which is not a reliable method for discovering all subdomains from public information alone.

2
Multi-Selectmedium

Which TWO of the following are examples of passive footprinting techniques? (Select exactly 2.)

Select 2 answers
A.Performing a ping sweep on the target network
B.Conducting a port scan with Nmap
C.Using Google dorking to find exposed documents
D.Examining job postings for technology clues
E.Brute forcing subdomains via DNS queries
AnswersC, D

Uses search engine index, passive.

Why this answer

Option C is correct because Google dorking involves using advanced search operators (e.g., filetype:, intitle:) to discover publicly accessible information without directly interacting with the target's systems. This is a passive footprinting technique as it relies on publicly indexed data from search engines, not on sending packets to the target's network.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates may mistakenly classify DNS-based enumeration (Option E) as passive, when in fact any technique that sends packets to the target's systems (including DNS queries) is considered active.

3
MCQmedium

During the reconnaissance phase, a tester discovers that the target company's email server is configured to automatically respond to delivery status notifications (DSNs). Which type of attack could this information facilitate?

A.DNS cache poisoning
B.Email enumeration
C.Man-in-the-middle attack
D.Phishing attack
AnswerB

DSN responses can confirm valid addresses.

Why this answer

Email servers that automatically respond to Delivery Status Notifications (DSNs) as defined in RFC 1891/3464 can be exploited for email enumeration. By sending a message to a non-existent address, the DSN response will indicate the address is invalid, while a valid address may generate no DSN or a different response. This allows an attacker to systematically verify valid email addresses on the target domain without triggering a full bounce-back to the original sender.

Exam trap

EC-Council often tests the distinction between passive reconnaissance (like email enumeration via DSN) and active attacks (like MITM or phishing), so candidates mistakenly choose 'Phishing attack' because they associate email servers with phishing, but the question specifically asks what the DSN behavior facilitates during reconnaissance.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning targets the DNS resolver's cache with forged records, not email server DSN behavior. Option C is wrong because a man-in-the-middle attack requires intercepting and relaying communications between two parties, which is unrelated to DSN responses. Option D is wrong because phishing is a social engineering attack that uses deceptive messages to steal credentials, not a reconnaissance technique to enumerate valid email addresses.

4
MCQmedium

During a penetration test, you are tasked with performing footprinting on a target organization. You have identified the target's IP range 192.168.1.0/24. Which of the following techniques would provide the most comprehensive information about the target's network topology and potential entry points?

A.Conduct social engineering to gather information from employees about internal network structure.
B.Use traceroute to map the network path and identify intermediate routers and firewalls.
C.Perform a WHOIS lookup to obtain domain registration details including administrative contacts.
D.Perform DNS enumeration to find all subdomains and associated IP addresses.
AnswerB

Traceroute shows the route packets take, revealing network topology and potential entry points.

Why this answer

Traceroute (using ICMP, UDP, or TCP probes with incrementing TTL values) reveals the Layer 3 path from the tester to the target, identifying each hop (router, firewall, or other gateway) along the route. This directly maps the network topology and can expose intermediate security devices, ACLs, and potential choke points, which is the most comprehensive technique for understanding the target's network layout and entry points from the given options.

Exam trap

The trap here is that candidates confuse footprinting techniques that gather passive information (WHOIS, DNS) with active network path mapping (traceroute), assuming WHOIS or DNS enumeration will reveal network topology when they only reveal domain or host metadata.

How to eliminate wrong answers

Option A is wrong because social engineering gathers subjective, often incomplete information from employees and does not directly reveal the actual network topology or technical entry points; it is a separate reconnaissance vector, not a footprinting technique for mapping network paths. Option C is wrong because WHOIS lookup provides domain registration details (registrant, admin contacts, name servers) but reveals nothing about the internal network topology, routers, or firewalls. Option D is wrong because DNS enumeration discovers subdomains and their associated IP addresses, which helps identify public-facing hosts but does not map the network path, intermediate routers, or firewalls.

5
Multi-Selecthard

Which TWO of the following tools are specifically designed for footprinting and reconnaissance tasks? (Select two.)

Select 2 answers
A.Shodan
B.Nmap
C.Maltego
D.Metasploit
E.John the Ripper
AnswersA, C

Shodan is a search engine for internet-connected devices, used for reconnaissance.

Why this answer

Shodan is a search engine specifically designed for footprinting and reconnaissance by scanning and indexing internet-connected devices, such as IoT devices, servers, and industrial control systems. It allows attackers to gather information about open ports, services, and banners without direct interaction with the target, making it a primary tool for passive reconnaissance in the CEH context.

Exam trap

EC-Council often tests the distinction between active and passive reconnaissance tools, and the trap here is that candidates confuse Nmap (active scanning) with footprinting tools, or think Metasploit's auxiliary modules qualify as reconnaissance, when the exam specifically classifies Shodan and Maltego as dedicated footprinting tools.

6
MCQhard

You are a penetration tester hired to perform a security assessment for a medium-sized e-commerce company, "ShopSmart". The company hosts its website on a shared hosting environment and uses a third-party payment gateway. Your goal is to gather as much information as possible without triggering any alarms. During the initial footprinting, you discover that the company's domain "shopsmart.com" was registered five years ago and the WHOIS record shows the registrant's name, address, phone number, and email. The email address is "admin@shopsmart.com". You also find a job posting on LinkedIn that mentions they are looking for a "Senior PHP Developer with experience in Laravel and MySQL". Additionally, by using the Wayback Machine, you find an old version of the site that includes a comment in the HTML source: "<!-- TODO: Remove debug page before launch: /dev/test.php -->". You attempt to access /dev/test.php but receive a 404 error. What should you do NEXT to maximize information gain while remaining passive?

A.Use Google dorking with site:shopsmart.com and filetype:php to find cached or indexed pages
B.Run a whois lookup on the IP address of the shared host
C.Try common file extensions for the debug page: test.asp, test.aspx, test.jsp
D.Perform a DNS brute force to find subdomains
AnswerA

Passive search via search engine.

Why this answer

Option A is correct because Google dorking with `site:shopsmart.com filetype:php` is a passive reconnaissance technique that leverages cached or indexed pages in Google’s search engine. This can reveal the old `/dev/test.php` page or other PHP files that may still be accessible via cached content, even if the live server returns a 404. It maximizes information gain without sending any direct traffic to the target, thus avoiding alarms.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance; the trap here is that candidates may choose an active option like DNS brute force or file extension guessing because it seems more direct, but the question explicitly requires remaining passive to avoid triggering alarms.

How to eliminate wrong answers

Option B is wrong because running a whois lookup on the IP address of the shared host will only reveal the hosting provider’s information, not the target company’s specific details, and it does not help locate the debug page or other hidden resources. Option C is wrong because trying common file extensions (test.asp, test.aspx, test.jsp) is an active probing technique that sends requests to the server, potentially triggering alarms, and it assumes the debug page uses a different technology stack than the PHP/Laravel environment indicated by the job posting. Option D is wrong because performing a DNS brute force to find subdomains is an active reconnaissance method that generates DNS queries, which can be logged by the target’s DNS server or security monitoring tools, and it does not directly help recover the specific `/dev/test.php` page.

7
MCQmedium

During footprinting, a tester finds that the target's DNS server allows recursive queries from the internet. What is the MOST significant security implication of this finding?

A.Unauthorized zone transfers are possible
B.The DNS server can be used for denial of service (amplification)
C.The DNS cache can be poisoned easily
D.The DNS server can be used for denial of service
AnswerD

Open recursion enables amplification DDoS.

Why this answer

Option D is correct because a DNS server that allows recursive queries from the internet can be exploited in a DNS amplification attack, a type of denial-of-service (DoS) attack. The attacker sends a small query with a spoofed source IP (the victim's IP) to the open recursive resolver, which responds with a much larger response (e.g., using the ANY record type), amplifying traffic up to 50-100 times. This floods the victim's network, making the DNS server an unwitting participant in the attack.

Exam trap

The trap here is that candidates confuse 'recursive queries' with 'zone transfers' or 'cache poisoning,' but the CEH exam specifically tests that open recursive resolvers are most critically used for DNS amplification DoS attacks, not for other DNS misconfigurations.

How to eliminate wrong answers

Option A is wrong because unauthorized zone transfers are a risk of misconfigured zone transfer permissions (e.g., allowing AXFR from any host), not directly caused by allowing recursive queries; recursive queries and zone transfers are separate DNS operations. Option B is wrong because it is essentially the same as option D but less precise — the specific attack is a DNS amplification DoS, not just any DoS, and the term 'denial of service (amplification)' is redundant and not the standard CEH phrasing; the correct answer is simply 'denial of service' as per CEH terminology. Option C is wrong because DNS cache poisoning (e.g., via Kaminsky attack) exploits vulnerabilities in query ID prediction or lack of DNSSEC, not the mere allowance of recursive queries; recursive resolution is a prerequisite for cache poisoning but not the most significant implication — amplification is more directly impactful and commonly tested.

8
Multi-Selecthard

Which THREE of the following are valid pieces of information that can be gathered from a properly configured Netcraft site report? (Select exactly 3.)

Select 3 answers
A.Internal IP addresses of the servers
B.Hosting provider and country
C.Site's first seen date and uptime history
D.Web server software and version
E.Employee email addresses
AnswersB, C, D

Netcraft shows hosting location.

Why this answer

Netcraft site reports are derived from external, public-facing data sources, including DNS records, HTTP response headers, and historical crawl data. The hosting provider and country are identified by mapping the site's public IP address to WHOIS and BGP routing information, which is a standard part of Netcraft's passive reconnaissance.

Exam trap

EC-Council often tests the distinction between passive reconnaissance (which yields only public information) and active reconnaissance (which might reveal internal details), leading candidates to mistakenly assume that internal IPs or employee emails are obtainable from a public site report.

9
MCQeasy

A penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?

A.Query the Netcraft site for the domain
B.Perform a WHOIS lookup against the domain
C.Use nslookup to query the authoritative name servers
D.Run a traceroute to the target web server
AnswerB

WHOIS provides IP range and ISP info.

Why this answer

A WHOIS lookup against the target domain returns registration details that include the organization's network range (via the 'NetRange' or 'CIDR' fields) and the ISP (via the 'OrgName' or 'descr' fields). This directly maps to the footprinting goal of identifying the target's IP address block and upstream provider, as defined in RFC 3912 and common WHOIS database schemas.

Exam trap

The trap here is that candidates confuse DNS resolution (nslookup) or path tracing (traceroute) with ownership data, but only WHOIS provides the authoritative registration records for network blocks and ISPs.

How to eliminate wrong answers

Option A is wrong because Netcraft provides web server and hosting history, but its primary output is server software, uptime, and hosting provider, not the specific network range or ISP in a structured WHOIS format. Option C is wrong because nslookup queries DNS records (A, MX, NS, etc.) to resolve domain names to IP addresses or find name servers; it does not reveal the network range or ISP ownership of those IPs. Option D is wrong because traceroute maps the path packets take to a destination, revealing intermediate routers, but it does not directly disclose the target's network range or ISP; it only shows hop IPs, which require additional WHOIS lookups to interpret.

10
MCQeasy

What can be inferred from the output?

A.The domain has two mail servers with different priority levels.
B.The command failed because the DNS server is unreachable.
C.The domain uses SPF records to prevent email spoofing.
D.The domain's web server IP address is 192.168.1.1.
AnswerA

MX records with preferences 10 and 20 indicate two mail servers.

Why this answer

The output shows two MX records for the domain, each with a different priority value (e.g., 10 and 20). Lower priority numbers indicate higher preference, so the mail server with priority 10 is tried first, and the one with priority 20 is a backup. This directly indicates the domain has two mail servers with different priority levels, which is exactly what MX records are designed to convey.

Exam trap

The trap here is that candidates may confuse MX records with other DNS record types (like A or TXT) and incorrectly infer unrelated information such as SPF usage or web server IPs, or assume the command failed when it clearly succeeded.

How to eliminate wrong answers

Option B is wrong because the command successfully returned MX records, proving the DNS server is reachable and the query did not fail. Option C is wrong because SPF records are stored as TXT records, not MX records, and the output only shows MX records, so no inference about SPF can be made. Option D is wrong because MX records contain mail server hostnames and their IP addresses are resolved separately via A or AAAA records; the output does not show any web server IP address, and 192.168.1.1 is a private IP that would not appear in public DNS for a domain's web server.

11
Drag & Dropmedium

Drag and drop the steps to set up a VPN using IPsec in tunnel mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec setup: Phase 1, Phase 2, traffic selectors, apply policies, test.

12
Multi-Selectmedium

Which TWO of the following tools are commonly used for passive reconnaissance?

Select 2 answers
A.theHarvester
B.nmap
C.Netcat
D.Metasploit
E.Shodan
AnswersA, E

theHarvester gathers information from public sources passively.

Why this answer

theHarvester is a passive reconnaissance tool that gathers information from public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API without directly interacting with the target network. It collects email addresses, subdomains, IPs, and employee names by querying publicly available data, making it a purely passive technique.

Exam trap

EC-Council often tests the distinction that tools like nmap and Netcat are active because they send packets to the target, while theHarvester and Shodan (when querying its database) rely on third-party collected data, making them passive.

13
MCQmedium

You are a penetration tester for a security firm. Your client, Acme Corp, has requested an external reconnaissance assessment. They have provided their primary domain 'acme.com'. You begin by performing passive footprinting using public sources. After gathering initial information, you want to identify their email servers, subdomains, and any exposed services. You also want to map their network infrastructure without directly interacting with their systems to avoid detection. Which course of action should you take next?

A.Call Acme Corp's IT help desk posing as an employee to ask about their email server configuration.
B.Use Shodan to search for Acme Corp's IP ranges and perform DNS enumeration to discover subdomains and mail servers.
C.Perform a traceroute to Acme Corp's web server to map the network path.
D.Run an Nmap scan against the entire IP range of Acme Corp to identify open ports and services.
AnswerB

Shodan provides passive information on exposed services, and DNS enumeration is passive.

Why this answer

Option B is correct because Shodan allows passive identification of exposed services, including email servers and subdomains, by querying its indexed data of internet-facing devices without sending any packets to Acme Corp's systems. DNS enumeration can then be performed passively using public DNS records (e.g., MX, NS, A records) to map subdomains and mail servers, fulfilling the requirement to avoid direct interaction and detection.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates may confuse Shodan (passive) with Nmap (active), or think traceroute is passive because it's a common network diagnostic tool.

How to eliminate wrong answers

Option A is wrong because calling the help desk is active social engineering, not passive reconnaissance, and directly interacts with the client's personnel, which violates the requirement to avoid detection. Option C is wrong because traceroute sends ICMP or UDP packets that directly interact with Acme Corp's routers and firewalls, which is active probing and can be logged or trigger alerts. Option D is wrong because running an Nmap scan sends crafted packets to target systems, which is active scanning that directly interacts with Acme Corp's network and can be detected by intrusion detection systems.

14
MCQmedium

An ethical hacker runs the command shown in the exhibit. Which of the following conclusions can be drawn from the output?

A.The domain has two mail exchange servers
B.The DNS server is configured to block zone transfers
C.Mail is automatically forwarded to a backup server
D.The domain has an SPF record configured
AnswerA

Two MX records indicate two servers.

Why this answer

The output shows two MX records for the domain, each with a preference value (10 and 20). MX records specify mail exchange servers, and the presence of two distinct entries indicates the domain has two mail exchange servers. The lower preference value (10) is the primary server, and the higher value (20) is a secondary or backup server.

Exam trap

The trap here is that candidates may assume multiple MX records imply automatic forwarding or failover, but in reality, the secondary server only receives mail if the primary is unreachable, and forwarding is a separate server-side configuration.

How to eliminate wrong answers

Option B is wrong because the output does not show any attempt to perform a zone transfer (e.g., using `dig axfr` or `nslookup -type=axfr`), nor does it include an error message or response indicating a zone transfer block; it only displays MX records. Option C is wrong because mail forwarding to a backup server is not automatically determined by the presence of multiple MX records; the backup server is explicitly configured with a higher preference value, and forwarding behavior depends on the mail server configuration, not the DNS records alone. Option D is wrong because the output shows only MX records, not TXT records; SPF records are stored in TXT records (or SPF RR type, though deprecated), and no TXT record is displayed in the output.

15
MCQhard

During a penetration test, you discover that the target organization uses a cloud-based email service. Which technique would allow you to gather employee email addresses and potentially infer internal organizational structure?

A.Perform a WHOIS lookup on the domain
B.Attempt a DNS zone transfer
C.Run an nmap scan against the mail server
D.Use Google dorking to find publicly exposed email lists
AnswerD

Google dorks can locate files containing email addresses.

Why this answer

Google dorking (advanced search operators) can uncover publicly exposed documents, such as PDFs or spreadsheets, that contain employee email addresses. These documents are often indexed by search engines and can reveal email patterns (e.g., first.last@company.com) and departmental groupings, allowing inference of the internal organizational structure without interacting directly with the target's infrastructure.

Exam trap

The trap here is that candidates often confuse active reconnaissance techniques (like DNS zone transfer or nmap scanning) with passive information gathering, assuming they are the primary way to collect email addresses, when in fact publicly indexed documents via Google dorking are a simpler and more effective passive method.

How to eliminate wrong answers

Option A is wrong because WHOIS lookup returns domain registration details (registrant, admin contact, name servers) but not employee email addresses or organizational structure. Option B is wrong because DNS zone transfer (AXFR request) is typically disabled on modern DNS servers; even if successful, it reveals hostnames and IP addresses, not employee email addresses. Option C is wrong because an nmap scan against the mail server identifies open ports and services (e.g., SMTP, IMAP) but does not extract email addresses or organizational hierarchy.

16
Matchingmedium

Match each CEH phase to its key activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Gathering information about the target

Identifying live hosts, open ports, and services

Exploiting vulnerabilities to enter the system

Installing backdoors for persistent access

Clearing logs and hiding evidence

Why these pairings

These are the five phases of ethical hacking as per EC-Council.

17
MCQhard

A security analyst is tasked with performing passive reconnaissance on a target organization. Which of the following is the BEST approach to gather information about the target's technology stack without directly interacting with the target's systems?

A.Engage in social engineering via phone calls
B.Use Shodan to search for target infrastructure
C.Initiate a DNS zone transfer request
D.Perform a port scan with Nmap
AnswerB

Shodan indexes public data passively.

Why this answer

Shodan is a search engine that indexes banners from internet-connected devices, allowing an analyst to discover a target's exposed services, open ports, and technology stack (e.g., web servers, SSH versions, IoT devices) without sending any packets to the target's systems. This makes it a purely passive reconnaissance technique, as it relies on Shodan's pre-collected data rather than direct interaction.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse Shodan (a passive, third-party data source) with active tools like Nmap or DNS zone transfers, which require direct interaction with the target's systems.

How to eliminate wrong answers

Option A is wrong because social engineering via phone calls involves direct interaction with the target's employees, which is an active technique and risks alerting the target. Option C is wrong because initiating a DNS zone transfer request sends a query to the target's DNS server, which is an active interaction that can be logged and often fails due to RFC 1035 restrictions (zone transfers are typically disabled). Option D is wrong because performing a port scan with Nmap sends packets directly to the target's IP addresses, making it an active reconnaissance method that can be detected by intrusion detection systems.

18
MCQeasy

Refer to the exhibit. An attacker runs the nslookup command shown. What information has been gathered?

A.Mail server addresses and priority
B.Name server records
C.IP addresses of the web server
D.SPF records for email authentication
AnswerA

MX records show mail servers and their priority.

Why this answer

The nslookup command with the -type=MX query returns mail exchange (MX) records for the domain. The output shows mail server hostnames and their associated priority values (e.g., 10, 20), which indicate the order in which mail servers should be used. This directly reveals the mail server addresses and their priority, making option A correct.

Exam trap

The trap here is that candidates confuse DNS record types—specifically, they may think MX records return IP addresses or SPF data, when in fact MX only returns mail server hostnames and priorities.

How to eliminate wrong answers

Option B is wrong because name server (NS) records are retrieved using -type=NS, not -type=MX; the output shows no NS records. Option C is wrong because IP addresses of the web server are obtained via A or AAAA records, not MX records; MX records only provide mail server hostnames, not web server IPs. Option D is wrong because SPF records are stored as TXT records, not MX records; the -type=MX query does not return SPF data.

Ready to test yourself?

Try a timed practice session using only Footprinting and Reconnaissance questions.