CompTIA PenTest+ (PT0-003) · Domain 2 · 21% of exam

Reconnaissance and Enumeration

Drill 20 practice questions focused entirely on Reconnaissance and Enumeration for the CompTIA PT0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

During the passive reconnaissance phase of an external engagement, a penetration tester wants to build a comprehensive list of the target organization's subdomains without sending any packets directly to the target's infrastructure. The tester needs a tool that aggregates data from third-party sources such as certificate transparency logs, search engine results, and DNS aggregation databases. Which command best supports this goal?

Reviewed for accuracy · Report an issue
Question 2 of 20

During a cloud-focused engagement, you obtain a set of AWS access keys from a compromised developer laptop. Before pivoting, you want to passively determine which permissions the key set actually holds without triggering obvious changes to the environment. Which action is the MOST appropriate first step to enumerate the effective permissions of these credentials?

Reviewed for accuracy · Report an issue
Question 3 of 20

During an authorized cloud penetration test, you gain command execution on an EC2 instance through a vulnerable web application. To escalate access, you want to enumerate the temporary IAM credentials associated with the instance's role. Which action should you take to retrieve those credentials from within the instance?

Reviewed for accuracy · Report an issue
Question 4 of 20

During the reconnaissance phase of an authorized cloud assessment for a retail company, a penetration tester wants to discover publicly exposed AWS S3 buckets belonging to the target without generating traffic directly against the client's production infrastructure. The tester has the company name, brand names, and common naming conventions the organization uses. Which approach BEST supports passive discovery of exposed storage buckets while minimizing direct interaction with the target?

Reviewed for accuracy · Report an issue
Question 5 of 20

During passive reconnaissance of a target organization, a penetration tester wants to discover subdomains and internal-sounding hostnames (such as vpn.example.com and dev-api.example.com) without sending any packets to the target's infrastructure. Which technique will BEST accomplish this goal?

Reviewed for accuracy · Report an issue
Question 6 of 20

During an internal engagement, you have permission to map a target's 10.20.30.0/24 subnet. You want to passively correlate live IP addresses with meaningful hostnames without sending traffic to each host directly. Which technique best supports building this network map by leveraging the organization's own DNS infrastructure?

Reviewed for accuracy · Report an issue
Question 7 of 20

During the passive reconnaissance phase of an external assessment, a penetration tester wants to identify as many subdomains and internal hostnames as possible for the target domain example.com. The tester notices the authoritative name server ns1.example.com responds to queries. Which command is MOST likely to reveal a complete list of the organization's DNS records if the server is misconfigured?

Reviewed for accuracy · Report an issue
Question 8 of 20

During an internal engagement, you have anonymous (null session) access to a Windows Server that appears to be a domain member. You need to enumerate valid domain user accounts to build a target list for later password spraying. RestrictAnonymous is set such that direct user listing via a null session returns no results, but you can still query the SAM/LSA over SMB. Which technique is MOST likely to yield a list of valid domain usernames in this situation?

Reviewed for accuracy · Report an issue
Question 9 of 20

During an internal penetration test, you have obtained valid low-privilege domain credentials for an Active Directory environment. You want to enumerate all domain user accounts, their group memberships, and account attributes such as description fields that may contain plaintext passwords. Which approach will most efficiently gather this information directly from the domain controller?

Reviewed for accuracy · Report an issue
Question 10 of 20

During an internal engagement, you run a credentialed Nessus scan against a Windows server. The report lists a plugin flagged as 'Critical' with a CVSS base score of 9.8, but the plugin output notes 'This is a potential vulnerability — the affected service was detected but the patch level could not be confirmed remotely.' Your client wants to prioritize remediation efficiently. What is the most appropriate next step before reporting this as a confirmed critical finding?

Reviewed for accuracy · Report an issue
Question 11 of 20

During an internal penetration test, you are connected directly to the 192.168.50.0/24 subnet via an authorized drop. You need to build an accurate inventory of live hosts on this local segment, but several hosts have host-based firewalls that drop ICMP echo requests. Which Nmap command will most reliably discover live hosts on this segment?

Reviewed for accuracy · Report an issue
Question 12 of 20

During an internal engagement, you connect to a jump host where you only have a standard (non-root) user account. You attempt to run 'nmap -sS 10.10.5.0/24' to perform a SYN scan across the subnet, but Nmap warns it is falling back to a different scan type. Which explanation best describes what is happening and how to proceed effectively?

Reviewed for accuracy · Report an issue
Question 13 of 20

During an authorized external assessment, a penetration tester wants to enumerate open ports on a target host while making it difficult for the target's SOC to identify which source IP is the true origin of the scan. The tester decides to use a zombie host with predictable IP ID sequence numbers to bounce the scan off of, so the target never receives packets directly from the tester's real address. Which Nmap technique should the tester use?

Reviewed for accuracy · Report an issue
Question 14 of 20

During an internal engagement, you run Nmap against a /24 subnet and export the results with the -oX flag to results.xml. Your team lead asks you to quickly produce a clean list of only the hosts that have TCP port 3389 open, so it can be fed into a follow-up RDP audit script. Which approach most efficiently produces this filtered list from the existing scan output?

Reviewed for accuracy · Report an issue
Question 15 of 20

During an internal engagement, you have identified a web server running on 10.0.5.22 over ports 80 and 443. The client has authorized active enumeration of exposed web content. You want to use Nmap to discover common web directories, application paths, and interesting files on the host before launching a dedicated web scanner. Which Nmap command best supports this goal?

Reviewed for accuracy · Report an issue
Question 16 of 20

During an internal engagement, you have identified several Windows hosts with TCP port 445 open. Before attempting exploitation, you want to safely check whether these hosts are vulnerable to known SMB flaws (such as MS17-010) and gather additional SMB configuration details using Nmap. Which command best accomplishes this enumeration goal?

Reviewed for accuracy · Report an issue
Question 17 of 20

During an internal engagement, a penetration tester needs to identify the operating system running on a target host at 10.10.5.20 to tailor subsequent exploitation. The tester wants Nmap to perform TCP/IP stack fingerprinting and report a best-guess OS even if the results are not definitive. Which command should the tester run?

Reviewed for accuracy · Report an issue
Question 18 of 20

During an external assessment, you run 'nmap -sS -p- 203.0.113.45' and receive results showing port 443 as 'open', ports 22 and 3389 as 'filtered', and all other ports as 'closed'. The client insists SSH (22) is running and reachable internally. Which conclusion best explains the 'filtered' state for ports 22 and 3389?

Reviewed for accuracy · Report an issue
Question 19 of 20

During an internal penetration test, you have identified a host at 10.10.5.42 with several open TCP ports. Your goal now is to determine the exact software and version running on each open port so you can cross-reference them against known vulnerability databases. Which Nmap command best accomplishes this enumeration objective?

Reviewed for accuracy · Report an issue
Question 20 of 20

During an authorized internal penetration test, a tester notices that a mid-range Nmap scan against a /24 subnet is triggering the client's IDS, generating alerts that flood the SOC. The engagement rules require the tester to reduce the likelihood of detection while still completing the enumeration within the testing window. Which Nmap timing option should the tester use to slow the scan enough to evade signature-based rate thresholds while remaining faster than the most conservative setting?

Reviewed for accuracy · Report an issue

More PT0-003 practice

Keep going with the other CompTIA PenTest+ (PT0-003) domains, or take a full timed mock exam.

← Back to PT0-003 overview