CREST CPSA ACTUAL EXAM 2026/2027
| Certified Practitioner Security Analyst |
Comprehensive Practice Test | Verified
Q&A | Pass Guaranteed - A+ Graded
Domain 1: Reconnaissance & Information Gathering (50
Questions)
Q1
During a passive reconnaissance engagement, you need to identify all subdomains of
target.com without directly querying their DNS servers. Which technique leverages third-party
services that have already cached DNS records?
A. DNS zone transfer using dig AXFR
B. Brute-force subdomain enumeration with dnsrecon
C. Querying Certificate Transparency logs and passive DNS databases [CORRECT]
D. Performing DNS recursion testing against the authoritative nameserver
Correct Answer: C
Rationale: Certificate Transparency logs (e.g., crt.sh) and passive DNS databases (e.g.,
VirusTotal, SecurityTrails) aggregate historical DNS data without requiring direct interaction
with target infrastructure. This maintains operational security during reconnaissance. Options
A, B, and D involve active queries that could trigger detection mechanisms.
Q2
An analyst is using Google search operators to find sensitive files on a target domain. Which
query would identify Excel spreadsheets potentially containing financial data?
A. site:target.com filetype:xls OR filetype:xlsx intitle:budget OR
intitle:finance [CORRECT]
,B. inurl:target.com ext:csv "confidential"
C. cache:target.com filetype:doc "password"
D. intext:"target.com" filetype:pdf "internal use only"
Correct Answer: A
Rationale: The site: operator restricts results to the target domain, filetype: targets
Excel extensions, and intitle: searches for financial keywords in document titles. This
combination follows Google dorking best practices for file discovery. Option B targets CSV
files, C uses cache operator incorrectly for filetype search, and D searches PDF content rather
than Excel files.
Q3
🧠 ANSWER ✔✔ Which DNS record type is used to specify which mail server is responsible
for accepting email messages on behalf of a domain?
A. A record
B. NS record
C. MX record [CORRECT]
D. TXT record
Correct Answer: C
Rationale: Mail Exchange (MX) records specify the mail servers responsible for accepting
email on behalf of a domain, including priority values for mail routing. A records map
hostnames to IPv4 addresses, NS records identify authoritative nameservers, and TXT
records store arbitrary text data often used for SPF/DKIM verification.
Q4
During OSINT collection, you discover that a target organization uses a specific cloud
storage provider based on DNS CNAME records pointing to s3.amazonaws.com. Which
reconnaissance technique revealed this information?
A. WHOIS registry analysis
B. DNS record enumeration [CORRECT]
,C. Metadata extraction from documents
D. Social media intelligence gathering
Correct Answer: B
Rationale: Canonical Name (CNAME) records are DNS resource records that map aliases to
true canonical names. Discovering s3.amazonaws.com CNAMEs indicates AWS S3 bucket
usage for cloud storage. WHOIS analysis reveals registration data, metadata extraction finds
document properties, and social media intelligence focuses on human-sourced information
rather than infrastructure mapping.
Q5
Which tool is specifically designed for email harvesting by gathering addresses from public
sources, PGP servers, and search engines?
A. Recon-ng
B. theHarvester [CORRECT]
C. Maltego
D. Nmap
Correct Answer: B
Rationale: theHarvester is purpose-built for email harvesting, querying Google, Bing, PGP
servers, and other public sources to collect email addresses, subdomains, hosts, and
employee names. Recon-ng is a full reconnaissance framework, Maltego visualizes
relationships between entities, and Nmap is a network scanner—not specialized email
harvesters.
Q6
An analyst needs to identify technology stacks used by a target website without sending
active probes. Which passive technique would be most effective?
A. Banner grabbing with Netcat
B. Analyzing HTTP headers from archived versions using Wayback Machine [CORRECT]
C. SYN scanning with Nmap
, D. Vulnerability scanning with OpenVAS
Correct Answer: B
Rationale: The Wayback Machine (archive.org) stores historical versions of web pages
including HTTP headers revealing server types, frameworks, and technologies. This is entirely
passive as it uses existing archived data. Banner grabbing, SYN scanning, and vulnerability
scanning all involve active network interaction that could be detected.
Q7
Which DNS record type would you query to identify the IPv6 address associated with a
hostname?
A. A record
B. AAAA record [CORRECT]
C. CNAME record
D. PTR record
Correct Answer: B
Rationale: AAAA (quad-A) records map hostnames to 128-bit IPv6 addresses, analogous to
how A records map to 32-bit IPv4 addresses. CNAME records create aliases, and PTR
records enable reverse DNS lookups (IP to hostname resolution). Understanding DNS record
types is essential for comprehensive infrastructure mapping.
Q8
During a penetration test, you discover that the target's DNS servers allow zone transfers
from any source. Which command would successfully extract the complete DNS zone data?
A. dig @ns1.target.com target.com AXFR [CORRECT]
B. nslookup -type=ANY target.com
C. host -t MX target.com
D. whois target.com
Correct Answer: A
| Certified Practitioner Security Analyst |
Comprehensive Practice Test | Verified
Q&A | Pass Guaranteed - A+ Graded
Domain 1: Reconnaissance & Information Gathering (50
Questions)
Q1
During a passive reconnaissance engagement, you need to identify all subdomains of
target.com without directly querying their DNS servers. Which technique leverages third-party
services that have already cached DNS records?
A. DNS zone transfer using dig AXFR
B. Brute-force subdomain enumeration with dnsrecon
C. Querying Certificate Transparency logs and passive DNS databases [CORRECT]
D. Performing DNS recursion testing against the authoritative nameserver
Correct Answer: C
Rationale: Certificate Transparency logs (e.g., crt.sh) and passive DNS databases (e.g.,
VirusTotal, SecurityTrails) aggregate historical DNS data without requiring direct interaction
with target infrastructure. This maintains operational security during reconnaissance. Options
A, B, and D involve active queries that could trigger detection mechanisms.
Q2
An analyst is using Google search operators to find sensitive files on a target domain. Which
query would identify Excel spreadsheets potentially containing financial data?
A. site:target.com filetype:xls OR filetype:xlsx intitle:budget OR
intitle:finance [CORRECT]
,B. inurl:target.com ext:csv "confidential"
C. cache:target.com filetype:doc "password"
D. intext:"target.com" filetype:pdf "internal use only"
Correct Answer: A
Rationale: The site: operator restricts results to the target domain, filetype: targets
Excel extensions, and intitle: searches for financial keywords in document titles. This
combination follows Google dorking best practices for file discovery. Option B targets CSV
files, C uses cache operator incorrectly for filetype search, and D searches PDF content rather
than Excel files.
Q3
🧠 ANSWER ✔✔ Which DNS record type is used to specify which mail server is responsible
for accepting email messages on behalf of a domain?
A. A record
B. NS record
C. MX record [CORRECT]
D. TXT record
Correct Answer: C
Rationale: Mail Exchange (MX) records specify the mail servers responsible for accepting
email on behalf of a domain, including priority values for mail routing. A records map
hostnames to IPv4 addresses, NS records identify authoritative nameservers, and TXT
records store arbitrary text data often used for SPF/DKIM verification.
Q4
During OSINT collection, you discover that a target organization uses a specific cloud
storage provider based on DNS CNAME records pointing to s3.amazonaws.com. Which
reconnaissance technique revealed this information?
A. WHOIS registry analysis
B. DNS record enumeration [CORRECT]
,C. Metadata extraction from documents
D. Social media intelligence gathering
Correct Answer: B
Rationale: Canonical Name (CNAME) records are DNS resource records that map aliases to
true canonical names. Discovering s3.amazonaws.com CNAMEs indicates AWS S3 bucket
usage for cloud storage. WHOIS analysis reveals registration data, metadata extraction finds
document properties, and social media intelligence focuses on human-sourced information
rather than infrastructure mapping.
Q5
Which tool is specifically designed for email harvesting by gathering addresses from public
sources, PGP servers, and search engines?
A. Recon-ng
B. theHarvester [CORRECT]
C. Maltego
D. Nmap
Correct Answer: B
Rationale: theHarvester is purpose-built for email harvesting, querying Google, Bing, PGP
servers, and other public sources to collect email addresses, subdomains, hosts, and
employee names. Recon-ng is a full reconnaissance framework, Maltego visualizes
relationships between entities, and Nmap is a network scanner—not specialized email
harvesters.
Q6
An analyst needs to identify technology stacks used by a target website without sending
active probes. Which passive technique would be most effective?
A. Banner grabbing with Netcat
B. Analyzing HTTP headers from archived versions using Wayback Machine [CORRECT]
C. SYN scanning with Nmap
, D. Vulnerability scanning with OpenVAS
Correct Answer: B
Rationale: The Wayback Machine (archive.org) stores historical versions of web pages
including HTTP headers revealing server types, frameworks, and technologies. This is entirely
passive as it uses existing archived data. Banner grabbing, SYN scanning, and vulnerability
scanning all involve active network interaction that could be detected.
Q7
Which DNS record type would you query to identify the IPv6 address associated with a
hostname?
A. A record
B. AAAA record [CORRECT]
C. CNAME record
D. PTR record
Correct Answer: B
Rationale: AAAA (quad-A) records map hostnames to 128-bit IPv6 addresses, analogous to
how A records map to 32-bit IPv4 addresses. CNAME records create aliases, and PTR
records enable reverse DNS lookups (IP to hostname resolution). Understanding DNS record
types is essential for comprehensive infrastructure mapping.
Q8
During a penetration test, you discover that the target's DNS servers allow zone transfers
from any source. Which command would successfully extract the complete DNS zone data?
A. dig @ns1.target.com target.com AXFR [CORRECT]
B. nslookup -type=ANY target.com
C. host -t MX target.com
D. whois target.com
Correct Answer: A
