Log in Start practising free
Certified Ethical Hacker (CEH)

Footprinting & Reconnaissance

35 free practice questions with explanations

Practise all 35 questions free →

PassNova has 35 free Certified Ethical Hacker (CEH) practice questions on Footprinting & Reconnaissance, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Footprinting & Reconnaissance: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 35 free in the browser.

  1. During passive reconnaissance, which technique gathers information about a target WITHOUT sending any packets directly to the target's systems?

    • A Enumerating SMB shares with enum4linux
    • B Banner grabbing with Netcat
    • C Searching public records, WHOIS, and search engines (OSINT)
    • D Running an Nmap SYN scan

    Answer: Passive reconnaissance (OSINT) collects publicly available information such as WHOIS records, DNS data, and search-engine results without interacting directly with the target, leaving no trace on the target's systems.

  2. Which DNS record type must be queried to identify the mail servers responsible for a target domain?

    • A PTR record
    • B A record
    • C CNAME record
    • D MX record

    Answer: The MX (Mail Exchange) record specifies the mail servers that accept email for a domain, making it the target of DNS footprinting aimed at email infrastructure.

  3. An attacker uses the Google search operator 'site:example.com filetype:pdf' to locate documents. What footprinting technique is this an example of?

    • A DNS zone transfer
    • B Google hacking (Google dorking)
    • C Traceroute analysis
    • D Social engineering

    Answer: Crafting advanced search-engine queries with operators like site:, filetype:, and inurl: to uncover exposed information is known as Google hacking or Google dorking.

  4. Which tool is specifically designed to gather email addresses, subdomains, hosts, and employee names from public sources for footprinting?

    • A John the Ripper
    • B theHarvester
    • C Hydra
    • D Aircrack-ng

    Answer: theHarvester collects emails, subdomains, hostnames, and employee names from public sources such as search engines and PGP key servers, making it a core OSINT footprinting tool.

  5. An attacker successfully performs a DNS zone transfer (AXFR) against a misconfigured name server. What is the primary risk this creates?

    • A All TLS certificates for the domain are revoked
    • B The DNS cache is poisoned with false records
    • C A complete copy of the zone's DNS records is disclosed, mapping the internal network
    • D The name server's CPU is exhausted, causing denial of service

    Answer: A successful zone transfer hands the attacker every record in the zone, effectively providing a map of hosts and services that should not be publicly exposed.

  6. Which footprinting activity uses the 'traceroute' (or tracert) utility?

    • A Cracking password hashes offline
    • B Discovering the network path and intermediate hops to a target host
    • C Injecting SQL into a login form
    • D Capturing wireless handshakes

    Answer: Traceroute maps the route packets take to a destination by recording each router (hop) along the way, helping an attacker understand network topology.

Start practising Footprinting & Reconnaissance →
More Certified Ethical Hacker (CEH) topics

Practise another topic

System Hacking & Malware35 questions Scanning & Enumeration34 questions Wireless, Cryptography & Cloud34 questions Sniffing, Social Engineering & DoS34 questions Web, Application & SQL Injection Attacks28 questions
← Back to Certified Ethical Hacker (CEH)