CEH · topic practice

Footprinting, Reconnaissance and Scanning practice questions

Practise Certified Ethical Hacker CEH Footprinting, Reconnaissance and Scanning practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Footprinting, Reconnaissance and Scanning

What the exam tests

What to know about Footprinting, Reconnaissance and Scanning

Footprinting, Reconnaissance and Scanning questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Footprinting, Reconnaissance and Scanning exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Footprinting, Reconnaissance and Scanning questions

20 questions · select your answer, then reveal the explanation

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?

A security analyst notices unusual outbound traffic from an internal server to a known malicious IP address on port 4444. The server is running a web application that was recently scanned using a vulnerability scanner. Which of the following is the MOST likely cause?

Question 4hardmultiple choice
Read the full DNS explanation →

During a penetration test, you execute the following command: dnsrecon -d example.com -t axfr. The output shows 'AXFR record received' followed by a list of all DNS records. What does this indicate about the target's DNS configuration?

Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?

A security team wants to identify all live hosts on a large, Class B private IP network (172.16.0.0/16) as quickly as possible while minimizing network load. Which tool and technique should they use?

Question 7hardmultiple choice
Read the full NAT/PAT explanation →

During a penetration test, you run the following Nmap command: nmap -sS -sV -O -A -T4 --script=default 10.0.0.1. The scan results show that port 443 is open and the service is 'Apache httpd 2.4.29'. However, banner grabbing with Netcat shows 'Apache/2.4.41 (Ubuntu)'. What is the MOST likely explanation for the discrepancy?

A security analyst is conducting a vulnerability scan on a web server using Nessus. After the scan, they notice that the server's performance has degraded significantly, and some services have become unresponsive. Which of the following actions could have prevented this issue?

During a security assessment, a tester uses Maltego to gather information about a target organization. Which type of reconnaissance is being performed?

A penetration tester is attempting to evade an IDS/IPS while performing a port scan. They use the Nmap command: nmap -sS -f --data-length 20 -D RND:10 10.0.0.1. Which techniques are being employed to evade detection?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst receives an alert about a scan originating from an IP address that appears to be using a 'sIdle scan' technique. Which of the following characteristics would confirm this?

A junior penetration tester runs the command: whois example.com. What type of information are they MOST likely trying to obtain?

A security analyst is planning a reconnaissance activity that must remain undetected. Which TWO of the following techniques should they choose?

Question 14hardmulti select
Read the full DNS explanation →

During a penetration test, you need to enumerate all DNS records for example.com using a zone transfer. Which TWO tools can be used to attempt this?

Which THREE of the following are valid Nmap port states?

A security analyst wants to perform passive reconnaissance on a target organization without generating any traffic to the target's network. Which of the following techniques would be MOST appropriate?

Which of the following tools is specifically designed to perform Google dorking and automate searching for vulnerable web applications and sensitive information?

During a penetration test, you need to identify all live hosts on a target network without being detected by intrusion detection systems. Which Nmap flag would BEST achieve this?

A penetration tester executes the following command: nmap -sS -p 1-1000 --script banner 192.168.1.10. After the scan, the tester notices several filtered ports. Which of the following BEST explains why Nmap reports a port as "filtered"?

Question 20mediummultiple choice
Read the full DNS explanation →

A security analyst is performing reconnaissance on a target domain and wants to discover all subdomains using DNS enumeration. Which of the following commands would be MOST effective for performing a DNS zone transfer attempt?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Footprinting, Reconnaissance and Scanning sessions

Start a Footprinting, Reconnaissance and Scanning only practice session

Every question in these sessions is drawn from the Footprinting, Reconnaissance and Scanning domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Footprinting, Reconnaissance and Scanning?
Footprinting, Reconnaissance and Scanning questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Footprinting, Reconnaissance and Scanning questions in a focused session?
Yes — the session launcher on this page draws every question from the Footprinting, Reconnaissance and Scanning domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.