Reconnaissance and Enumeration for CompTIA PenTest+

Sample Practice Questions

1. Question 1

   A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client. The client authorized spear phishing in the rules of engagement. Which of the following should the tester do first when developing the phishing campaign?
   1. A. Shoulder surfing
   2. B. Recon-ng
   3. C. Social media
   4. D. Password dumps
   Explanation

   The correct answer is: C. Social media.

   A spear-phishing campaign succeeds in proportion to how convincingly each lure mirrors the target's social context, so the first step is to mine social media for the names, roles, projects, vendor relationships, recent travel, conferences attended, and personal interests that make a pretext credible. LinkedIn, X, Facebook, and Instagram together expose the org chart, the email-naming pattern, and the topical hooks the campaign will weave into each lure. Shoulder surfing is an in-person observation technique unrelated to bulk pretext development. Recon-ng is a useful framework that can pull from social platforms via modules but is one tool among many, while the broader category of social media is the underlying intelligence reservoir the campaign actually mines. Password dumps inform credential reuse but do not provide pretext content or organizational targeting. Social media is the canonical first-step input for spear-phishing pretexting.

2. Question 2

   A tester gains initial access to a server and needs to enumerate all corporate domain DNS records. Which of the following commands should the tester use?
   1. A. dig +short A AAAA local.domain
   2. B. nslookup local.domain
   3. C. dig afxr @local.dns.server
   4. D. nslookup -server local.dns.server local.domain *
   Explanation

   The correct answer is: C. dig afxr @local.dns.server.

   A full DNS zone transfer using AXFR returns every record in a zone in a single response, which is exactly what is needed to enumerate all corporate domain DNS records when the authoritative server is misconfigured to allow it. Dig with the axfr query type aimed at the authoritative DNS server triggers that bulk transfer, and any non-restricted secondary will return the entire zone including A, AAAA, MX, TXT, NS, SRV, and CNAME records. Dig +short A AAAA returns only address records for the apex name and skips every other record type. Plain nslookup against local.domain returns just the address record and nothing more. Using nslookup -server with a wildcard at the end is not a valid AXFR invocation; nslookup's interactive ls -d once supported zone listing but is deprecated and unreliable on modern resolvers. Dig with axfr is the standard command for an attempted zone transfer.

3. Question 3

   A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which of the following techniques should the tester use?
   1. A. Sniffing
   2. B. Banner grabbing
   3. C. TCP/UDP scanning
   4. D. Ping sweeps
   Explanation

   The correct answer is: A. Sniffing.

   Sniffing is a passive technique: the tester puts an interface into promiscuous mode and reads frames already on the wire without injecting any traffic of their own, so detection mechanisms have no anomalous packets to flag. That property makes sniffing the right answer when the goal is reconnaissance without tipping off monitoring. Banner grabbing requires opening a TCP session to each service and reading its greeting, which is fully visible to network and host IDS. TCP and UDP scanning explicitly send probes to thousands of ports per host and is one of the loudest activities a security team monitors for. Ping sweeps emit ICMP echo requests across a range and are routinely alerted on by intrusion detection rules. Among the four, only sniffing avoids generating outgoing traffic at all, which is why it is the stealthiest reconnaissance choice in this scenario.

4. Question 4

   A penetration tester is unable to identify the Wi-Fi SSID on a client's cell phone. Which of the following techniques would be most effective to troubleshoot this issue?
   1. A. Sidecar scanning
   2. B. Channel scanning
   3. C. Stealth scanning
   4. D. Static analysis scanning
   Explanation

   The correct answer is: B. Channel scanning.

   Wi-Fi networks operate across discrete radio channels in the 2.4 GHz, 5 GHz, and 6 GHz bands, and a mobile device only renders an SSID in its visible-network list once the radio has actively listened on the channel that beacon is broadcast on. Channel scanning systematically iterates the radio across each supported channel, listens for beacon and probe-response frames, and decodes the SSID, BSSID, and RSSI; this is exactly the troubleshooting step needed when the SSID is missing from a phone, since the cause is almost always a channel mismatch, regional regulatory-domain limits, or a hidden network broadcasting on a channel the device has not yet probed. Sidecar scanning is not a recognized wireless reconnaissance technique. Stealth scanning refers to evasive port scans such as nmap SYN or null scans and has nothing to do with 802.11 beacon discovery. Static analysis scanning is a code-review technique used against application binaries or source, again unrelated to wireless SSID visibility.

5. Question 5

   While conducting an assessment, a penetration tester identifies the details for several unreleased products announced at a company-wide meeting. Which of the following attacks did the tester most likely use to discover this information?
   1. A. Eavesdropping
   2. B. Bluesnarfing
   3. C. Credential harvesting
   4. D. SQL injection attack
   Explanation

   The correct answer is: A. Eavesdropping.

   Hearing employees discuss confidential product details at a company-wide meeting that the tester listens in on is eavesdropping, the in-person interception of spoken information. Whether the tester is physically present, watching a streamed all-hands, or listening on an open channel, the act of overhearing protected conversation falls under that label. Bluesnarfing is the unauthorized extraction of data from a Bluetooth device and would not yield meeting content. Credential harvesting is focused on capturing usernames and passwords through phishing or fake portals, not on intelligence about unreleased products. SQL injection is a database attack on a web application and has nothing to do with overhearing meeting content. Eavesdropping is the precise classification for capturing sensitive information by overhearing communications, which makes it the obvious answer in this scenario.

Other CompTIA PenTest+ domains

• Attacks and Exploits (83 questions)
• Engagement Management (36 questions)
• Post-Exploitation and Lateral Movement (55 questions)
• Vulnerability Discovery and Analysis (38 questions)