Penetration Testing and Network Security
Practice Exam questions and correct
answers– Updated 2026 (Graded A+) instant
download pdf
Subject: Penetration Testing and Network Security
Subtopic: Reconnaissance
Question 1: During a passive reconnaissance engagement, a security consultant gathers
information about a target organization exclusively from public sources. Which activity best
represents passive reconnaissance?
A) Performing a TCP SYN scan against public servers
B) Conducting DNS zone transfers against the target domain
C) Reviewing employee information from publicly available social media profiles
D) Running vulnerability scanners against exposed hosts
Correct Answer: C - Reviewing employee information from publicly available social media
profiles
Rationale: Passive reconnaissance collects information without directly interacting with target
systems. Public social media data, company websites, and search engine results are typical
passive sources. TCP scans, DNS zone transfers, and vulnerability scans directly interact with
target infrastructure and therefore constitute active reconnaissance activities.
Question 2: A penetration tester performs WHOIS queries and examines publicly available DNS
records before beginning an assessment. The primary objective of these activities is to:
A) Escalate privileges on internal systems
B) Enumerate target infrastructure and ownership information
C) Exploit web applications
D) Bypass firewall controls
Correct Answer: B - Enumerate target infrastructure and ownership information
Rationale: WHOIS and DNS analysis help identify domains, IP ranges, administrators, and
infrastructure components. They support attack surface mapping before active testing begins.
They do not directly exploit systems or bypass security controls.
,Question 3: Which reconnaissance activity presents the lowest likelihood of detection by the
target organization?
A) Full TCP port scan
B) Vulnerability scanning
C) Public search engine analysis
D) Network enumeration
Correct Answer: C - Public search engine analysis
Rationale: Search engine queries occur externally and do not interact directly with the target
environment. Port scanning, vulnerability scanning, and enumeration generate network traffic
that may be detected by security monitoring systems.
Question 4: The primary purpose of reconnaissance during a penetration test is to:
A) Destroy evidence of compromise
B) Identify attack surfaces and potential entry points
C) Remove security controls
D) Install persistence mechanisms
Correct Answer: B - Identify attack surfaces and potential entry points
Rationale: Reconnaissance provides intelligence regarding systems, personnel, technologies,
and infrastructure. This information guides later assessment phases and improves testing
effectiveness.
Question 5: An organization publishes detailed employee directories and technical job
descriptions online. From a security perspective, this information most significantly increases the
risk of:
A) Cryptographic failure
B) Social engineering attacks
C) Wireless interference
D) Database corruption
Correct Answer: B - Social engineering attacks
Rationale: Public employee information assists attackers in crafting convincing phishing
campaigns and impersonation attempts. The information has little direct effect on cryptography,
wireless systems, or database integrity.
,Subtopic: Scanning and Enumeration
Question 6: A network scan identifies ports 22, 80, and 443 as open on a server. The next
appropriate step is:
A) Immediately exploit the server
B) Enumerate services running on the identified ports
C) Disable the firewall
D) Remove the server from the network
Correct Answer: B - Enumerate services running on the identified ports
Rationale: Service enumeration determines software versions, configurations, and potential
vulnerabilities. Exploitation should occur only after adequate information gathering and
authorization.
Question 7: Enumeration differs from scanning because enumeration primarily focuses on:
A) Discovering live hosts only
B) Collecting detailed information about identified services and resources
C) Blocking network traffic
D) Performing cryptographic analysis
Correct Answer: B - Collecting detailed information about identified services and
resources
Rationale: Scanning identifies systems and open ports, while enumeration gathers deeper
information such as usernames, shares, services, and configurations.
Question 8: Which result from a scan most likely indicates a potential attack surface?
A) Closed ports exclusively
B) Unreachable hosts
C) Exposed administrative services accessible from external networks
D) Disabled network interfaces
Correct Answer: C - Exposed administrative services accessible from external networks
Rationale: Administrative services exposed externally may provide unauthorized access
opportunities. Closed ports and unreachable hosts generally present lower risk.
, Question 9: The principle of least privilege is most relevant during enumeration because:
A) Attackers seek unnecessary administrative access
B) Encryption is required for scanning
C) Firewalls prevent all attacks
D) Vulnerabilities cannot exist on user accounts
Correct Answer: A - Attackers seek unnecessary administrative access
Rationale: Excessive permissions increase the value of compromised accounts and simplify
lateral movement and privilege escalation.
Question 10: Which scenario demonstrates effective enumeration?
A) Identifying an IP address only
B) Determining software versions and service configurations on a target host
C) Disconnecting the host from the network
D) Deleting system logs
Correct Answer: B - Determining software versions and service configurations on a target
host
Rationale: Detailed service information assists in vulnerability identification and risk
assessment.
Subtopic: Vulnerability Assessment
Question 11: The primary objective of a vulnerability assessment is to:
A) Exploit every identified weakness
B) Identify and prioritize security weaknesses
C) Destroy malicious software
D) Recover deleted files
Correct Answer: B - Identify and prioritize security weaknesses
Rationale: Vulnerability assessments focus on discovering and evaluating risks rather than
exploiting systems. Remediation prioritization is a critical outcome.
Practice Exam questions and correct
answers– Updated 2026 (Graded A+) instant
download pdf
Subject: Penetration Testing and Network Security
Subtopic: Reconnaissance
Question 1: During a passive reconnaissance engagement, a security consultant gathers
information about a target organization exclusively from public sources. Which activity best
represents passive reconnaissance?
A) Performing a TCP SYN scan against public servers
B) Conducting DNS zone transfers against the target domain
C) Reviewing employee information from publicly available social media profiles
D) Running vulnerability scanners against exposed hosts
Correct Answer: C - Reviewing employee information from publicly available social media
profiles
Rationale: Passive reconnaissance collects information without directly interacting with target
systems. Public social media data, company websites, and search engine results are typical
passive sources. TCP scans, DNS zone transfers, and vulnerability scans directly interact with
target infrastructure and therefore constitute active reconnaissance activities.
Question 2: A penetration tester performs WHOIS queries and examines publicly available DNS
records before beginning an assessment. The primary objective of these activities is to:
A) Escalate privileges on internal systems
B) Enumerate target infrastructure and ownership information
C) Exploit web applications
D) Bypass firewall controls
Correct Answer: B - Enumerate target infrastructure and ownership information
Rationale: WHOIS and DNS analysis help identify domains, IP ranges, administrators, and
infrastructure components. They support attack surface mapping before active testing begins.
They do not directly exploit systems or bypass security controls.
,Question 3: Which reconnaissance activity presents the lowest likelihood of detection by the
target organization?
A) Full TCP port scan
B) Vulnerability scanning
C) Public search engine analysis
D) Network enumeration
Correct Answer: C - Public search engine analysis
Rationale: Search engine queries occur externally and do not interact directly with the target
environment. Port scanning, vulnerability scanning, and enumeration generate network traffic
that may be detected by security monitoring systems.
Question 4: The primary purpose of reconnaissance during a penetration test is to:
A) Destroy evidence of compromise
B) Identify attack surfaces and potential entry points
C) Remove security controls
D) Install persistence mechanisms
Correct Answer: B - Identify attack surfaces and potential entry points
Rationale: Reconnaissance provides intelligence regarding systems, personnel, technologies,
and infrastructure. This information guides later assessment phases and improves testing
effectiveness.
Question 5: An organization publishes detailed employee directories and technical job
descriptions online. From a security perspective, this information most significantly increases the
risk of:
A) Cryptographic failure
B) Social engineering attacks
C) Wireless interference
D) Database corruption
Correct Answer: B - Social engineering attacks
Rationale: Public employee information assists attackers in crafting convincing phishing
campaigns and impersonation attempts. The information has little direct effect on cryptography,
wireless systems, or database integrity.
,Subtopic: Scanning and Enumeration
Question 6: A network scan identifies ports 22, 80, and 443 as open on a server. The next
appropriate step is:
A) Immediately exploit the server
B) Enumerate services running on the identified ports
C) Disable the firewall
D) Remove the server from the network
Correct Answer: B - Enumerate services running on the identified ports
Rationale: Service enumeration determines software versions, configurations, and potential
vulnerabilities. Exploitation should occur only after adequate information gathering and
authorization.
Question 7: Enumeration differs from scanning because enumeration primarily focuses on:
A) Discovering live hosts only
B) Collecting detailed information about identified services and resources
C) Blocking network traffic
D) Performing cryptographic analysis
Correct Answer: B - Collecting detailed information about identified services and
resources
Rationale: Scanning identifies systems and open ports, while enumeration gathers deeper
information such as usernames, shares, services, and configurations.
Question 8: Which result from a scan most likely indicates a potential attack surface?
A) Closed ports exclusively
B) Unreachable hosts
C) Exposed administrative services accessible from external networks
D) Disabled network interfaces
Correct Answer: C - Exposed administrative services accessible from external networks
Rationale: Administrative services exposed externally may provide unauthorized access
opportunities. Closed ports and unreachable hosts generally present lower risk.
, Question 9: The principle of least privilege is most relevant during enumeration because:
A) Attackers seek unnecessary administrative access
B) Encryption is required for scanning
C) Firewalls prevent all attacks
D) Vulnerabilities cannot exist on user accounts
Correct Answer: A - Attackers seek unnecessary administrative access
Rationale: Excessive permissions increase the value of compromised accounts and simplify
lateral movement and privilege escalation.
Question 10: Which scenario demonstrates effective enumeration?
A) Identifying an IP address only
B) Determining software versions and service configurations on a target host
C) Disconnecting the host from the network
D) Deleting system logs
Correct Answer: B - Determining software versions and service configurations on a target
host
Rationale: Detailed service information assists in vulnerability identification and risk
assessment.
Subtopic: Vulnerability Assessment
Question 11: The primary objective of a vulnerability assessment is to:
A) Exploit every identified weakness
B) Identify and prioritize security weaknesses
C) Destroy malicious software
D) Recover deleted files
Correct Answer: B - Identify and prioritize security weaknesses
Rationale: Vulnerability assessments focus on discovering and evaluating risks rather than
exploiting systems. Remediation prioritization is a critical outcome.