CEH v13 Domain 2.1 Practice Test 004

This practice test covers Domain 2 (Reconnaissance Techniques) Subdomain 1 (Footprinting and Reconnaissance) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 2.1 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

A security analyst performing a pre-engagement information gathering phase uses advanced search engine operators to discover publicly indexed login portals, exposed configuration files, and internal directory listings belonging to a target organization's web infrastructure. She inputs specific syntax combinations into a major search engine to filter results to files with sensitive extensions hosted on the target's domain, without directly accessing any of the target's systems. Which footprinting technique is she using?

A. WHOIS Lookup B. Email Header Analysis C. Google Hacking / Dorking D. Banner Grabbing

Question 2

Kevin, targeting a mid-sized e-commerce company, sends a specially crafted request to the target's primary nameserver that, due to a server misconfiguration, returns the complete list of all hostnames, IP addresses, and mail server records registered in the domain's name space. He successfully maps the entire internal DNS record structure, revealing subdomains and infrastructure details not visible through standard individual queries. Which reconnaissance method did Kevin use?

A. Passive DNS Replication B. DNS Zone Transfer C. WHOIS Enumeration D. Reverse IP Lookup

Question 3

An enterprise red team consultant needs to gather registration details, administrative contact information, name server assignments, and domain expiration dates for a target organization's public-facing domains without triggering any network-level detection. She queries an Internet registration database using the target's domain name as input and receives structured records maintained by the regional registry. Which passive reconnaissance technique did she use?

A. DNS Zone Transfer B. WHOIS Lookup C. Google Dorking D. Shodan Query

Question 4

Select all that apply

Elijah, a red team operator at a managed security services provider, is in the passive information gathering phase of an engagement and must identify tools specifically designed for automated open-source intelligence collection and relationship mapping of target entities. His team lead requires that all tools used must operate without directly probing the target's infrastructure. Which two tools from the list below are purpose-built for this type of pre-attack intelligence gathering? (Choose two)

A. Maltego B. Nmap C. Recon-ng D. Metasploit E. Aircrack-ng

Question 5

Jane, a threat intelligence analyst investigating a targeted phishing campaign, receives a suspicious message and opens the raw metadata embedded in the received communication to extract the originating IP address, relay servers, timestamps, and the mail transfer agent software version used by the sender's infrastructure. This information allows her to trace the approximate geographic location of the sending system and identify the mail platform used. Which footprinting technique is Jane employing?

A. Shodan Search B. Email Header Analysis C. DNS MX Record Lookup D. OSINT Framework Query

Question 6

A security consultant performing a reconnaissance engagement downloads a complete offline copy of a target organization's public website, including all linked pages, images, scripts, and embedded metadata, using a tool that recursively crawls and replicates the entire site structure to a local directory for analysis. The technique allows her to review source code, discover hidden directories, and extract contact information and internal references without generating repeated live traffic to the target. Which footprinting technique does this describe?

A. DNS Enumeration B. Website Mirroring C. Banner Grabbing D. Email Footprinting

Question 7

Clark, a penetration tester preparing for a targeted network intrusion, sends a series of ICMP or UDP packets with incrementally increasing TTL values toward the target host to map the sequence of intermediate routers, identify network topology, and determine where traffic is filtered or dropped along the path. The output reveals firewall and routing device positions between his machine and the target. Which reconnaissance tool or command is Clark using?

A. Nmap SYN Scan B. Traceroute C. WHOIS Query D. Netstat

Question 8

Select all that apply

The security team at a global telecommunications firm needs to enumerate internet-exposed devices and services belonging to a target during the passive reconnaissance phase of an authorized engagement, as well as identify employee names, titles, and professional relationships that could support later social engineering attempts. The team lead requires sources that do not directly interact with the target's infrastructure. Which two sources should the team prioritize for this dual-purpose information gathering task? (Choose two)

A. Nmap B. Shodan C. Wireshark D. LinkedIn E. Burp Suite

Question 9

A security architect at a healthcare organization wants to prevent attackers from freely obtaining the names, phone numbers, email addresses, and physical addresses of the technical and administrative contacts listed in public registry databases when querying the organization's domain names. She directs the IT team to implement a service through their domain registrar that substitutes a third-party proxy's contact details in place of the actual organizational contacts in public records. Which countermeasure is she implementing?

A. DNSSEC Implementation B. Split-Horizon DNS C. Private Domain Registration D. IP Blacklisting

Question 10

During the reconnaissance phase of a cloud infrastructure assessment, a penetration tester uses an internet-wide scanning and indexing platform to identify publicly accessible routers, webcams, industrial control systems, and unprotected databases belonging to the target organization without sending a single packet to the client's network. The platform's banner and metadata indexing capabilities reveal service versions, open ports, and geographic distribution of exposed assets. Which footprinting tool is being used?

A. Maltego B. Recon-ng C. Shodan D. Metagoofil

Related Posts

Leave a Comment Cancel Reply