Reconnaissance Techniques for Certified Ethical Hacker (CEH)

Sample Practice Questions

1. Question 1

   Which of the following describes a method of gathering information about a target without any direct interaction?
   1. A. Active Footprinting
   2. B. Passive Footprinting
   3. C. Social Engineering
   4. D. Vulnerability Scanning
   Explanation

   The correct answer is: B. Passive Footprinting.

   Passive footprinting (reconnaissance) gathers information without sending any traffic or probes to the target. You use only public or third-party sources: search engines, WHOIS, DNS lookups against public resolvers, archived pages, social media, job postings, and other open sources. The target does not see your activity. Active footprinting (A) involves interacting with the target--e.g., DNS queries that hit the target--s servers, ping, traceroute--so the target can detect the activity. Social engineering (C) involves direct interaction with people (calls, emails, visits). Vulnerability scanning (D) actively probes systems and is highly visible. The question asks for --no direct interaction-- with the target, which matches passive footprinting.

2. Question 2

   To enhance your footprinting efforts, you decide to gather information about the target's network range and live hosts. Which tool would you use to perform network range reconnaissance without actively scanning the network?
   1. A. Netcraft
   2. B. Ping
   3. C. Traceroute
   4. D. Google hacking
   Explanation

   The correct answer is: D. Google hacking.

   Google hacking (Google dorking) uses search engine operators and queries to find publicly indexed information about a target--e.g., cached pages, exposed docs, site listings, and references to IP ranges or hostnames--without sending any packets to the target--s network. You use Google (or similar) to discover what is already indexed. Ping (B) and Traceroute (C) actively probe the target--s hosts and network; they are not --without actively scanning.-- Netcraft (A) can provide passive data (e.g., from their database of sites and IPs), but --Google hacking-- is the option that unambiguously describes using a search engine to gather network/host info without scanning the target. For --network range reconnaissance without actively scanning,-- Google hacking is the best fit.

3. Question 3

   Which of the following is a primary goal of performing footprinting in the reconnaissance phase?
   1. A. To exploit vulnerabilities in web applications
   2. B. To gather as much information as possible about the target
   3. C. To launch a denial-of-service attack
   4. D. To install malware on the target system
   Explanation

   The correct answer is: B. To gather as much information as possible about the target.

   Footprinting is the initial reconnaissance phase. Its primary goal is to gather as much information as possible about the target--domains, subdomains, IP ranges, DNS, email addresses, technologies, employees, public documents, and other open-source data--to build a picture of the attack surface before any scanning or exploitation. Exploiting vulnerabilities (A), launching DoS (C), and installing malware (D) are later phases (e.g., gaining access, maintaining access); they are not goals of footprinting. Footprinting is purely information gathering to support later phases.

4. Question 4

   An ethical hacker is using a search engine to find publicly exposed documents belonging to a target company. Which technique is being used?
   1. A. Shodan Search
   2. B. Google Dorking
   3. C. WHOIS Lookup
   4. D. Zone Transfer
   Explanation

   The correct answer is: B. Google Dorking.

   Google dorking (Google hacking) is the use of search engine operators and advanced queries (e.g., `site:`, `filetype:`, `inurl:`, `intitle:`) to find sensitive or exposed content that is indexed by the search engine--e.g., PDFs, spreadsheets, config files, or internal documents that should not be public. The scenario -- using a search engine to find publicly exposed documents -- matches this technique. Shodan (A) is a search engine for devices and services (IP, port, banner), not primarily for finding documents via Google-style queries. WHOIS (C) is for domain and IP registration data. Zone transfer (D) is a DNS mechanism to copy a zone file; it is not --using a search engine.-- Thus, Google dorking is the correct answer.

5. Question 5

   During a security assessment, you are tasked with gathering information about a target network's email servers. Which of the following DNS record types would provide this information?
   1. A. A
   2. B. MX
   3. C. CNAME
   4. D. PTR
   Explanation

   The correct answer is: B. MX.

   MX (Mail Exchange) records specify the mail servers responsible for accepting email for the domain. When you query MX for a domain, you get the hostnames (and typically priority) of the email servers, which you can then resolve to IPs with A records. A records (A) map hostnames to IPv4 addresses; they do not by themselves identify which hosts are mail servers. CNAME (C) is an alias (one name pointing to another); it does not designate mail servers. PTR (D) is used for reverse DNS (IP to name), not for discovering mail servers. To find a target--s email servers, you query MX records for their domain.

Other Certified Ethical Hacker (CEH) domains

• Cloud Computing (10 questions)
• Cryptography (14 questions)
• Information Security and Ethical Hacking Overview (33 questions)
• Mobile, IOT and OT Hacking (14 questions)
• Network and Perimeter Hacking (47 questions)
• System Hacking Phases (14 questions)
• Web Application Hacking (44 questions)
• Wireless Network Hacking (27 questions)