CEH · topic practice

Footprinting and Reconnaissance practice questions

Practise Certified Ethical Hacker CEH Footprinting and Reconnaissance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
18 questionsDomain: Footprinting and Reconnaissance

What the exam tests

What to know about Footprinting and Reconnaissance

Footprinting and Reconnaissance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Footprinting and Reconnaissance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Footprinting and Reconnaissance questions

18 questions · select your answer, then reveal the explanation

A penetration tester is performing a footprinting exercise on a target company. The tester wants to identify the network range and ISP of the target. Which of the following tools or techniques is MOST appropriate for this purpose?

During the reconnaissance phase, a tester discovers that the target company's email server is configured to automatically respond to delivery status notifications (DSNs). Which type of attack could this information facilitate?

A security analyst is tasked with performing passive reconnaissance on a target organization. Which of the following is the BEST approach to gather information about the target's technology stack without directly interacting with the target's systems?

An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?

Question 5mediummultiple choice
Read the full DNS explanation →

During footprinting, a tester finds that the target's DNS server allows recursive queries from the internet. What is the MOST significant security implication of this finding?

Which TWO of the following are examples of passive footprinting techniques? (Select exactly 2.)

Which THREE of the following are valid pieces of information that can be gathered from a properly configured Netcraft site report? (Select exactly 3.)

An ethical hacker runs the command shown in the exhibit. Which of the following conclusions can be drawn from the output?

Exhibit

Refer to the exhibit.

```
C:\Users\tester> nslookup -type=MX exampledomain.com
Server:  dns.example.com
Address:  192.168.1.1

exampledomain.com
        MX preference = 10, mail exchanger = mail1.exampledomain.com
        MX preference = 20, mail exchanger = mail2.exampledomain.com
```

You are a penetration tester hired to perform a security assessment for a medium-sized e-commerce company, "ShopSmart". The company hosts its website on a shared hosting environment and uses a third-party payment gateway. Your goal is to gather as much information as possible without triggering any alarms. During the initial footprinting, you discover that the company's domain "shopsmart.com" was registered five years ago and the WHOIS record shows the registrant's name, address, phone number, and email. The email address is "admin@shopsmart.com". You also find a job posting on LinkedIn that mentions they are looking for a "Senior PHP Developer with experience in Laravel and MySQL". Additionally, by using the Wayback Machine, you find an old version of the site that includes a comment in the HTML source: "<!-- TODO: Remove debug page before launch: /dev/test.php -->". You attempt to access /dev/test.php but receive a 404 error. What should you do NEXT to maximize information gain while remaining passive?

During a penetration test, you are tasked with performing footprinting on a target organization. You have identified the target's IP range 192.168.1.0/24. Which of the following techniques would provide the most comprehensive information about the target's network topology and potential entry points?

Which TWO of the following tools are specifically designed for footprinting and reconnaissance tasks? (Select two.)

What can be inferred from the output?

Exhibit

Refer to the exhibit.
```
C:\Users\test>nslookup -type=MX example.com
Server:  dns.company.com
Address:  192.168.1.1

example.com     MX preference = 10, mail exchanger = mail1.example.com
example.com     MX preference = 20, mail exchanger = mail2.example.com
```

You are a penetration tester for a security firm. Your client, Acme Corp, has requested an external reconnaissance assessment. They have provided their primary domain 'acme.com'. You begin by performing passive footprinting using public sources. After gathering initial information, you want to identify their email servers, subdomains, and any exposed services. You also want to map their network infrastructure without directly interacting with their systems to avoid detection. Which course of action should you take next?

During a penetration test, you discover that the target organization uses a cloud-based email service. Which technique would allow you to gather employee email addresses and potentially infer internal organizational structure?

Which TWO of the following tools are commonly used for passive reconnaissance?

Refer to the exhibit. An attacker runs the nslookup command shown. What information has been gathered?

Exhibit

Refer to the exhibit.

C:\>nslookup -type=MX example.com
Server:  dns.example.com
Address:  192.0.2.10

example.com     MX preference = 10, mail exchanger = mail1.example.com
example.com     MX preference = 20, mail exchanger = mail2.example.com
Question 17mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to set up a VPN using IPsec in tunnel mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each CEH phase to its key activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Gathering information about the target

Identifying live hosts, open ports, and services

Exploiting vulnerabilities to enter the system

Installing backdoors for persistent access

Clearing logs and hiding evidence

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Footprinting and Reconnaissance sessions

Start a Footprinting and Reconnaissance only practice session

Every question in these sessions is drawn from the Footprinting and Reconnaissance domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Footprinting and Reconnaissance?
Footprinting and Reconnaissance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Footprinting and Reconnaissance questions in a focused session?
Yes — the session launcher on this page draws every question from the Footprinting and Reconnaissance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.