CCNA Ceh Recon Scanning Questions

5 of 155 questions · Page 3/3 · Ceh Recon Scanning topic · Answers revealed

151
MCQeasy

A security analyst wants to discover all DNS records associated with a domain without triggering a full zone transfer. Which tool is BEST suited for this task?

A.theHarvester
B.dig
C.nslookup
D.dnsrecon
AnswerD

dnsrecon is a powerful DNS enumeration script that can query multiple record types and perform subdomain brute-forcing.

Why this answer

D (dnsrecon) is correct because it is a dedicated DNS enumeration tool that performs multiple types of DNS record queries (A, AAAA, CNAME, MX, NS, SOA, SRV, TXT, etc.) using techniques like brute‑forcing subdomains and performing SRV record enumeration, all without attempting a full zone transfer (AXFR). It is specifically designed for reconnaissance and can discover hidden or non‑obvious DNS records efficiently.

Exam trap

EC-Council often tests the misconception that nslookup or dig are sufficient for comprehensive DNS discovery, but the question specifically asks for a tool that discovers *all* DNS records without a zone transfer, which requires automated enumeration beyond single‑query tools.

How to eliminate wrong answers

Option A (theHarvester) is wrong because it is primarily an email, subdomain, and open‑source intelligence (OSINT) gathering tool that uses search engines and public sources, not direct DNS queries for all record types. Option B (dig) is wrong because while it can query individual DNS record types, it is a manual command‑line tool that requires separate queries for each record type and does not automate the discovery of all DNS records in a single pass. Option C (nslookup) is wrong because it is an older, interactive DNS lookup utility that also requires manual, per‑record queries and lacks the automated enumeration features of dnsrecon.

152
MCQeasy

A security analyst wants to perform passive reconnaissance on a target organization without generating any traffic to the target's network. Which of the following techniques would be MOST appropriate?

A.Running Nmap SYN scan
B.Executing hping3 to probe ports
C.Using Netcat to connect to a service
D.Performing a WHOIS lookup
AnswerD

WHOIS lookups query public databases and do not contact the target's servers, making them passive.

Why this answer

WHOIS lookup is a passive reconnaissance technique that queries public databases (e.g., whois.arin.net) for domain registration details without sending any packets to the target's network. It relies on external, publicly available data, thus generating zero traffic to the target organization's infrastructure.

Exam trap

The trap here is that candidates confuse active scanning tools (Nmap, hping3, Netcat) with passive information gathering, failing to recognize that any direct packet transmission to the target constitutes active reconnaissance.

How to eliminate wrong answers

Option A is wrong because Nmap SYN scan sends crafted TCP SYN packets directly to the target's IP addresses, generating detectable network traffic. Option B is wrong because hping3 actively sends custom packets (e.g., TCP, UDP, ICMP) to probe ports and services, which creates traffic to the target. Option C is wrong because Netcat establishes a TCP or UDP connection to a target service, actively interacting with the target's network and generating traffic.

153
MCQmedium

A security team observes repeated Nmap scans from an external IP address. The scans show fragmented IP packets. Which evasion technique is the attacker using?

A.Fragmentation
B.Decoy scan
C.ACK scan
D.Idle scan
AnswerA

Fragmentation splits packets to evade detection.

Why this answer

The attacker is using fragmentation to evade detection by splitting the Nmap probe packets into smaller fragments. This technique bypasses simple packet filters and intrusion detection systems (IDS) that lack IP fragment reassembly capabilities, as the fragments are typically allowed through individually. Nmap's `-f` flag or `--mtu` option is used to send fragmented IP packets, making the scan less conspicuous.

Exam trap

EC-Council often tests the distinction between fragmentation and decoy scans, as candidates may confuse 'splitting packets' with 'spoofing IPs' due to both being evasion techniques.

How to eliminate wrong answers

Option B (Decoy scan) is wrong because it involves spoofing multiple source IP addresses to hide the attacker's real IP, not fragmenting packets. Option C (ACK scan) is wrong because it sends TCP ACK packets to determine firewall rules, not fragmented packets. Option D (Idle scan) is wrong because it uses a zombie host to bounce packets and obscure the attacker's IP, not fragmentation.

154
MCQmedium

A penetration tester receives the following output from a tool: 'Starting dnsrecon.py -d example.com -t axfr' and then a list of all DNS records. Which of the following BEST describes what occurred?

A.A DNSSEC validation check was completed
B.A successful DNS zone transfer was performed, revealing all DNS records for the domain
C.A DNS cache snooping attack was executed
D.A reverse DNS lookup was performed to find domain names from IP addresses
AnswerB

AXFR is the zone transfer request. If the server is misconfigured, it returns all records. The output shows the result of a successful transfer.

Why this answer

The output shows the dnsrecon tool being run with the '-t axfr' option, which specifically requests a DNS zone transfer (AXFR). A zone transfer is a mechanism for replicating DNS databases across DNS servers, and if misconfigured, it allows an attacker to retrieve all DNS records for a domain. The successful listing of all DNS records confirms that the zone transfer was permitted by the target's DNS server, revealing the entire DNS zone.

Exam trap

The trap here is that candidates may confuse the '-t axfr' zone transfer flag with other DNS reconnaissance techniques like cache snooping or DNSSEC validation, but the key indicator is the explicit request for a full zone transfer and the resulting complete list of DNS records.

How to eliminate wrong answers

Option A is wrong because DNSSEC validation checks use cryptographic signatures (RRSIG, DNSKEY records) to verify data integrity, not a zone transfer command like '-t axfr'. Option C is wrong because DNS cache snooping involves querying a recursive resolver to determine if a specific record is cached, not performing a full zone transfer to list all records. Option D is wrong because a reverse DNS lookup uses PTR records to map IP addresses to domain names, whereas the output explicitly shows a zone transfer of all DNS records for a domain, not a reverse lookup.

155
Multi-Selecthard

Which THREE of the following Nmap options can be used to evade detection by IDS/IPS? (Select three)

Select 3 answers
A.-sV (version detection)
B.-f (fragment packets)
C.-sI (idle scan)
D.-D (decoy scan)
E.-O (OS detection)
AnswersB, C, D

Fragmentation evades packet inspection.

Why this answer

Option B is correct because the -f flag fragments the crafted packets into smaller pieces, typically 8-byte fragments, which can bypass simple IDS/IPS signatures that expect full unfragmented packets. This technique exploits the fact that many intrusion detection systems struggle to reassemble fragmented packets in real time, allowing the scan to evade detection.

Exam trap

The trap here is that candidates often think version detection (-sV) or OS detection (-O) are stealthy because they provide detailed information, but they actually generate more traffic and distinctive patterns that IDS/IPS easily flag.

← PreviousPage 3 of 3 · 155 questions total

Ready to test yourself?

Try a timed practice session using only Ceh Recon Scanning questions.