Logo Light

Footprinting & Reconnaissance – Gathering Intelligence – MCQ Questions

by | Feb 27, 2025

1. What is the primary objective of footprinting in cybersecurity?

  • A) Exploiting vulnerabilities
  • B) Identifying and gathering information about a target
  • C) Crashing the target system
  • D) Establishing persistence in a compromised system
    ✅ Answer: B) Identifying and gathering information about a target
    Explanation: Footprinting is the process of collecting information about a target to identify potential attack vectors before attempting exploitation.

2. Which of the following is a passive reconnaissance technique?

  • A) Scanning the target with Nmap
  • B) Using WHOIS to gather domain registration details
  • C) Running a brute force attack
  • D) Exploiting an open database
    ✅ Answer: B) Using WHOIS to gather domain registration details
    Explanation: Passive reconnaissance involves gathering publicly available information without interacting directly with the target.

3. What tool is commonly used to perform DNS enumeration?

  • A) Wireshark
  • B) Dig
  • C) Hydra
  • D) Metasploit
    ✅ Answer: B) Dig
    Explanation: dig is a command-line tool used for querying DNS records and performing DNS enumeration.

4. Which of the following is an active reconnaissance technique?

  • A) Checking SSL certificates
  • B) Searching target-related information on Google
  • C) Running an Nmap scan on a target system
  • D) Monitoring a company’s social media activity
    ✅ Answer: C) Running an Nmap scan on a target system
    Explanation: Active reconnaissance involves direct interaction with the target, such as scanning for open ports using Nmap.

5. What is the purpose of Google Dorking in reconnaissance?

  • A) Identifying open ports
  • B) Finding sensitive information indexed by search engines
  • C) Exploiting web vulnerabilities
  • D) Establishing a remote shell
    ✅ Answer: B) Finding sensitive information indexed by search engines
    Explanation: Google Dorking involves using advanced search queries to find exposed data like credentials, documents, and admin panels.

6. What is the main difference between passive and active reconnaissance?

  • A) Passive reconnaissance is illegal, active reconnaissance is not
  • B) Active reconnaissance interacts with the target, while passive does not
  • C) Active reconnaissance is always undetectable
  • D) Passive reconnaissance requires special tools
    ✅ Answer: B) Active reconnaissance interacts with the target, while passive does not
    Explanation: Active reconnaissance directly interacts with the target, while passive reconnaissance gathers information indirectly.

7. What type of attack can be conducted using information gathered from footprinting?

  • A) SQL Injection
  • B) Credential stuffing
  • C) Social engineering
  • D) All of the above
    ✅ Answer: D) All of the above
    Explanation: Information gathered during footprinting can be used in various attacks like social engineering, SQLi, and credential stuffing.

8. Which of the following is NOT a footprinting technique?

  • A) Checking WHOIS records
  • B) Phishing emails
  • C) Examining social media profiles
  • D) Reviewing website metadata
    ✅ Answer: B) Phishing emails
    Explanation: Phishing is an attack vector, whereas footprinting focuses on gathering intelligence without direct interaction.

9. What command can be used to perform a reverse DNS lookup?

  • A) nslookup
  • B) nmap
  • C) traceroute
  • D) ifconfig
    ✅ Answer: A) nslookup
    Explanation: nslookup can retrieve DNS records, including reverse lookups that resolve an IP address to a domain name.

10. Which of the following tools is primarily used for OSINT (Open-Source Intelligence) gathering?

  • A) Shodan
  • B) Hydra
  • C) Metasploit
  • D) Nikto
    ✅ Answer: A) Shodan
    Explanation: Shodan is a search engine that helps find devices connected to the internet, often revealing exposed services.

11. What does the Harvester tool primarily gather?

  • A) Open ports
  • B) Email addresses and subdomains
  • C) System vulnerabilities
  • D) SQL database entries
    ✅ Answer: B) Email addresses and subdomains
    Explanation: theHarvester is an OSINT tool that collects information about emails, domains, and company assets.

12. What information can be obtained from a WHOIS lookup?

  • A) IP addresses
  • B) Domain registration details
  • C) List of active users
  • D) Firewall rules
    ✅ Answer: B) Domain registration details
    Explanation: WHOIS provides details such as domain owner, registrar, and expiration date.

13. What is the main goal of social engineering reconnaissance?

  • A) Cracking passwords
  • B) Manipulating human psychology to extract sensitive information
  • C) Exploiting system vulnerabilities
  • D) Encrypting target data
    ✅ Answer: B) Manipulating human psychology to extract sensitive information
    Explanation: Social engineering relies on deception and manipulation rather than technical exploits.

14. What is OSINT?

  • A) Offensive Security Intelligence
  • B) Open-Source Intelligence
  • C) On-Site Network Testing
  • D) Operational System Intrusion
    ✅ Answer: B) Open-Source Intelligence
    Explanation: OSINT refers to gathering publicly available data from open sources.

15. Which of the following tools can scan for publicly exposed cameras and IoT devices?

  • A) Nikto
  • B) Maltego
  • C) Shodan
  • D) Metasploit
    ✅ Answer: C) Shodan
    Explanation: Shodan indexes internet-connected devices, including IoT systems and security cameras.

16. What command can extract DNS zone transfer information?

  • A) dig axfr
  • B) nslookup -a
  • C) traceroute -d
  • D) ping -t
    ✅ Answer: A) dig axfr
    Explanation: dig axfr attempts a zone transfer, retrieving DNS records.

17. Which technique is commonly used for gathering email addresses of an organization?

  • A) Email Spoofing
  • B) Google Dorking
  • C) Hash Cracking
  • D) SQL Injection
    ✅ Answer: B) Google Dorking
    Explanation: Google Dorking uses search engine queries to find exposed email addresses.

18. What is Maltego primarily used for?

  • A) Brute-force attacks
  • B) Information visualization and relationship mapping
  • C) Web server scanning
  • D) Buffer overflow exploitation
    ✅ Answer: B) Information visualization and relationship mapping
    Explanation: Maltego helps visualize connections between OSINT data points.

19. What is an example of a passive reconnaissance source?

  • A) LinkedIn profiles
  • B) Nmap scanning
  • C) FTP brute force
  • D) Exploiting a SQL database
    ✅ Answer: A) LinkedIn profiles
    Explanation: LinkedIn profiles contain valuable information about employees and organizations.

20. Which reconnaissance technique involves intercepting network traffic?

  • A) Man-in-the-Middle (MITM) attack
  • B) DNS enumeration
  • C) Website scraping
  • D) Port scanning
    ✅ Answer: A) Man-in-the-Middle (MITM) attack
    Explanation: MITM allows attackers to eavesdrop on network traffic and extract data.

21. What type of information can be gathered using the tool Netcraft?

  • A) Web server details, hosting provider, and site history
  • B) Firewall rules and policies
  • C) Encrypted passwords of a website
  • D) Malware signatures
    ✅ Answer: A) Web server details, hosting provider, and site history
    Explanation: Netcraft provides insights into a website’s infrastructure, including its web server, DNS records, and historical data.

22. What is the purpose of a robots.txt file in a website’s directory?

  • A) To restrict search engine bots from indexing certain pages
  • B) To store passwords securely
  • C) To log user IP addresses
  • D) To enable SSL encryption
    ✅ Answer: A) To restrict search engine bots from indexing certain pages
    Explanation: The robots.txt file instructs search engines about which parts of a website should not be indexed, but attackers often check it for hidden URLs.

23. Which protocol is commonly used for enumerating shared network resources?

  • A) SMTP
  • B) SNMP
  • C) SMB
  • D) ICMP
    ✅ Answer: C) SMB
    Explanation: Server Message Block (SMB) is used for file and resource sharing in Windows networks and can be enumerated for valuable data.

24. Which website can be used to check if an email address has been part of a data breach?

  • A) Have I Been Pwned
  • B) Shodan
  • C) VirusTotal
  • D) Nmap
    ✅ Answer: A) Have I Been Pwned
    Explanation: This site allows users to check if their credentials have been exposed in a past data breach.

25. What is an effective way to gather employee names from a target organization?

  • A) Checking job postings and LinkedIn profiles
  • B) Running a port scan on the company’s network
  • C) Exploiting SQL Injection vulnerabilities
  • D) Sending phishing emails
    ✅ Answer: A) Checking job postings and LinkedIn profiles
    Explanation: Public profiles and job postings often reveal employee names, emails, and job roles, which can be useful for social engineering.

26. Which reconnaissance tool specializes in subdomain enumeration?

  • A) Metasploit
  • B) Sublist3r
  • C) Hydra
  • D) sqlmap
    ✅ Answer: B) Sublist3r
    Explanation: Sublist3r is a popular tool used to discover subdomains of a target domain.

27. What can be extracted from the “Wayback Machine” at archive.org?

  • A) Old versions of web pages
  • B) Encrypted passwords
  • C) Live network traffic
  • D) Active database queries
    ✅ Answer: A) Old versions of web pages
    Explanation: The Wayback Machine allows viewing historical snapshots of websites, which may reveal outdated but still useful information.

28. What command-line tool can perform WHOIS lookups on Linux?

  • A) whois
  • B) netstat
  • C) ipconfig
  • D) traceroute
    ✅ Answer: A) whois
    Explanation: The whois command retrieves domain registration details, including owner and registrar information.

29. Which of the following is NOT an open-source intelligence (OSINT) tool?

  • A) Maltego
  • B) Shodan
  • C) Nessus
  • D) Recon-ng
    ✅ Answer: C) Nessus
    Explanation: Nessus is a vulnerability scanner, while the other tools are primarily used for OSINT and reconnaissance.

30. What reconnaissance technique involves collecting information by analyzing HTML source code?

  • A) Google Dorking
  • B) Website scraping
  • C) ARP poisoning
  • D) Brute-force attacks
    ✅ Answer: B) Website scraping
    Explanation: Website scraping extracts useful metadata, links, and comments from HTML source code.

31. What is the purpose of a DNS zone transfer attack?

  • A) To redirect users to malicious websites
  • B) To retrieve all DNS records of a domain
  • C) To bypass a web application firewall
  • D) To perform a brute force attack
    ✅ Answer: B) To retrieve all DNS records of a domain
    Explanation: A DNS zone transfer allows attackers to obtain subdomains, mail servers, and other DNS-related information.

32. What is a major risk of exposing company emails on public websites?

  • A) Increased risk of brute-force attacks
  • B) Potential social engineering and phishing attacks
  • C) Easier exploitation of SQL Injection
  • D) Increased risk of DDoS attacks
    ✅ Answer: B) Potential social engineering and phishing attacks
    Explanation: Publicly available emails are often targeted in phishing campaigns.

33. What reconnaissance tool is often used to discover open ports and services on a target?

  • A) Nmap
  • B) Nikto
  • C) Burp Suite
  • D) Mimikatz
    ✅ Answer: A) Nmap
    Explanation: Nmap is widely used for network scanning and port enumeration.

34. What technique is used to gather information from discarded company documents?

  • A) Dumpster diving
  • B) Phishing
  • C) Sniffing
  • D) Keylogging
    ✅ Answer: A) Dumpster diving
    Explanation: Dumpster diving involves retrieving sensitive information from discarded documents.

35. What can be gained from a website’s HTTP response headers?

  • A) Web server type and software version
  • B) User credentials
  • C) SSL certificate details
  • D) Encrypted email messages
    ✅ Answer: A) Web server type and software version
    Explanation: HTTP response headers can reveal details about the web server, which can be useful for further attacks.

36. Which tool is primarily used for gathering information from social media?

  • A) FOCA
  • B) Metagoofil
  • C) OSINT Framework
  • D) Wireshark
    ✅ Answer: C) OSINT Framework
    Explanation: OSINT Framework provides various methods to collect social media and publicly available intelligence.

37. What type of reconnaissance involves monitoring wireless network traffic?

  • A) Passive reconnaissance
  • B) Active reconnaissance
  • C) Web scraping
  • D) Reverse engineering
    ✅ Answer: A) Passive reconnaissance
    Explanation: Capturing Wi-Fi traffic without interacting with the network is considered passive reconnaissance.

38. Which tool can be used to detect publicly exposed Amazon S3 buckets?

  • A) CloudSploit
  • B) SQLmap
  • C) Hydra
  • D) Nikto
    ✅ Answer: A) CloudSploit
    Explanation: CloudSploit is designed to detect misconfigured cloud storage and security flaws.

39. What is an example of geolocation-based reconnaissance?

  • A) Tracking a user’s IP address using logs
  • B) Using a VPN to anonymize traffic
  • C) Performing a brute-force attack
  • D) Running a remote buffer overflow exploit
    ✅ Answer: A) Tracking a user’s IP address using logs
    Explanation: IP tracking and geolocation services help identify a target’s approximate location.

40. What reconnaissance technique involves monitoring SSL/TLS certificates of a target organization?

  • A) Certificate Transparency Logs analysis
  • B) ARP Spoofing
  • C) DNS Spoofing
  • D) Wi-Fi Jamming
    ✅ Answer: A) Certificate Transparency Logs analysis
    Explanation: Analyzing certificate logs can reveal domain registrations and subdomains.

41. What is the main purpose of a banner grabbing attack?

  • A) To retrieve detailed information about a service running on a server
  • B) To brute-force login credentials
  • C) To install malware on a target system
  • D) To overload a server with traffic
    ✅ Answer: A) To retrieve detailed information about a service running on a server
    Explanation: Banner grabbing helps attackers gather information about running services, their versions, and potential vulnerabilities.

42. What does the term “footprinting” refer to in ethical hacking?

  • A) Cracking passwords using brute force
  • B) Gathering detailed information about a target
  • C) Deploying malware to gain persistence
  • D) Performing SQL injection attacks
    ✅ Answer: B) Gathering detailed information about a target
    Explanation: Footprinting is the initial phase in ethical hacking where an attacker collects information about a target.

43. What tool is commonly used for detecting subdomains of a target domain?

  • A) SubBrute
  • B) Ettercap
  • C) John the Ripper
  • D) Aircrack-ng
    ✅ Answer: A) SubBrute
    Explanation: SubBrute is an OSINT tool used for discovering subdomains associated with a domain.

44. Which of the following is a passive reconnaissance tool?

  • A) Wireshark
  • B) Hydra
  • C) Nessus
  • D) Burp Suite
    ✅ Answer: A) Wireshark
    Explanation: Wireshark captures network traffic without direct interaction with the target, making it a passive reconnaissance tool.

45. What information does an MX (Mail Exchange) DNS record contain?

  • A) The IP address of the target website
  • B) The email servers responsible for receiving emails for a domain
  • C) The public key of the SSL certificate
  • D) The list of user accounts on a system
    ✅ Answer: B) The email servers responsible for receiving emails for a domain
    Explanation: MX records specify the mail servers for a domain, helping attackers identify email infrastructure.

46. What is the primary objective of footprinting a wireless network?

  • A) To disable the target network
  • B) To identify available Wi-Fi networks and their security configurations
  • C) To execute a man-in-the-middle attack
  • D) To bypass network firewalls
    ✅ Answer: B) To identify available Wi-Fi networks and their security configurations
    Explanation: Wireless reconnaissance involves gathering information about Wi-Fi networks, encryption methods, and SSIDs.

47. What is a key characteristic of passive reconnaissance?

  • A) It does not interact directly with the target system
  • B) It involves penetration testing
  • C) It requires social engineering techniques
  • D) It uses brute-force methods to gain access
    ✅ Answer: A) It does not interact directly with the target system
    Explanation: Passive reconnaissance gathers publicly available data without alerting the target.

48. What is the primary use of FOCA (Fingerprinting Organizations with Collected Archives)?

  • A) To scan networks for vulnerabilities
  • B) To extract metadata from public documents
  • C) To perform a phishing attack
  • D) To crack hashed passwords
    ✅ Answer: B) To extract metadata from public documents
    Explanation: FOCA is an OSINT tool that analyzes metadata in documents to gather intelligence.

49. What reconnaissance technique involves tracking SSL/TLS certificates of an organization?

  • A) DNS Spoofing
  • B) Certificate Transparency Log Analysis
  • C) Brute-force attacks
  • D) Reverse Engineering
    ✅ Answer: B) Certificate Transparency Log Analysis
    Explanation: This technique helps discover subdomains and domain registration details.

50. What is the purpose of an SPF (Sender Policy Framework) record in DNS?

  • A) To prevent email spoofing
  • B) To encrypt DNS queries
  • C) To manage subdomains
  • D) To store login credentials
    ✅ Answer: A) To prevent email spoofing
    Explanation: SPF records specify authorized email servers for a domain, helping to prevent spoofing.

51. What tool is commonly used to enumerate open directories on a website?

  • A) Dirb
  • B) Aircrack-ng
  • C) Mimikatz
  • D) Wireshark
    ✅ Answer: A) Dirb
    Explanation: Dirb is used to discover open directories and hidden files on a website.

52. What is a major risk of exposed API endpoints?

  • A) Increased CPU usage
  • B) Unauthorized data access and potential exploits
  • C) Increased website loading time
  • D) Reduced encryption strength
    ✅ Answer: B) Unauthorized data access and potential exploits
    Explanation: Exposed APIs can leak sensitive data and introduce security vulnerabilities.

53. Which of the following is an example of physical reconnaissance?

  • A) Checking network logs
  • B) Dumpster diving
  • C) Running a SQL Injection attack
  • D) Using Nmap to scan a network
    ✅ Answer: B) Dumpster diving
    Explanation: Dumpster diving involves retrieving sensitive documents from discarded trash.

54. Which of the following is a method of footprinting used in social engineering?

  • A) Phishing emails
  • B) Port scanning
  • C) Sniffing network traffic
  • D) Performing a DoS attack
    ✅ Answer: A) Phishing emails
    Explanation: Phishing is a social engineering technique used to extract information from users.

55. What type of reconnaissance involves gathering information about a company’s technology stack?

  • A) Passive reconnaissance
  • B) Active reconnaissance
  • C) Social engineering
  • D) Reverse engineering
    ✅ Answer: A) Passive reconnaissance
    Explanation: Identifying a company’s technology stack (e.g., web server, CMS, programming languages) is part of passive reconnaissance.

56. Which reconnaissance tool is designed to scan the dark web for leaked credentials?

  • A) SpiderFoot
  • B) Maltego
  • C) Nessus
  • D) Nikto
    ✅ Answer: A) SpiderFoot
    Explanation: SpiderFoot is an OSINT tool used for gathering intelligence from various sources, including the dark web.

57. What reconnaissance method involves using Google Maps to analyze a target’s physical location?

  • A) Geolocation reconnaissance
  • B) Man-in-the-Middle (MitM) attack
  • C) Traffic analysis
  • D) Phishing
    ✅ Answer: A) Geolocation reconnaissance
    Explanation: Geolocation reconnaissance involves analyzing a target’s location using tools like Google Maps or satellite imagery.

58. What tool can be used to check SSL/TLS certificate expiration and configurations?

  • A) SSLScan
  • B) Metasploit
  • C) Nikto
  • D) Burp Suite
    ✅ Answer: A) SSLScan
    Explanation: SSLScan checks SSL/TLS configurations, cipher strength, and certificate details.

59. What reconnaissance method involves tracking changes in domain registrations over time?

  • A) WHOIS history lookup
  • B) DNS Spoofing
  • C) SQL Injection
  • D) URL Encoding
    ✅ Answer: A) WHOIS history lookup
    Explanation: Tracking WHOIS history can reveal past ownership changes and domain modifications.

60. What technique is used to gather information about network latency and hops between nodes?

  • A) Traceroute
  • B) Hash cracking
  • C) Port forwarding
  • D) Buffer overflow
    ✅ Answer: A) Traceroute
    Explanation: Traceroute maps the path packets take to reach a target, providing details on latency and intermediate hosts.

61. What is the primary purpose of a CNAME record in DNS?

  • A) To map an IP address to a domain name
  • B) To redirect one domain name to another
  • C) To store SPF (Sender Policy Framework) information
  • D) To log all DNS queries
    ✅ Answer: B) To redirect one domain name to another
    Explanation: CNAME (Canonical Name) records are used to alias one domain name to another.

62. What technique is used to determine the operating system of a target machine?

  • A) OS Fingerprinting
  • B) DNS Spoofing
  • C) Brute-force Attack
  • D) SQL Injection
    ✅ Answer: A) OS Fingerprinting
    Explanation: OS Fingerprinting identifies the operating system by analyzing network packets and responses.

63. What is the primary purpose of a Google Hacking Database (GHDB)?

  • A) To store breached password lists
  • B) To maintain a collection of Google Dork queries for reconnaissance
  • C) To provide a list of vulnerable websites for ethical hacking
  • D) To analyze website encryption strength
    ✅ Answer: B) To maintain a collection of Google Dork queries for reconnaissance
    Explanation: The GHDB is a collection of advanced Google search queries used to find sensitive information.

64. What is the main risk of exposed .git repositories on web servers?

  • A) It allows SQL injection attacks
  • B) It reveals source code and sensitive configuration files
  • C) It enables brute-force attacks on the repository
  • D) It weakens SSL/TLS encryption
    ✅ Answer: B) It reveals source code and sensitive configuration files
    Explanation: If .git repositories are publicly accessible, attackers can download the repository and inspect the source code.

65. What reconnaissance method involves examining SSL/TLS certificate transparency logs?

  • A) Identifying subdomains and new domains
  • B) Harvesting email addresses
  • C) Exploiting insecure network traffic
  • D) Brute-force attacking login portals
    ✅ Answer: A) Identifying subdomains and new domains
    Explanation: Certificate Transparency Logs can reveal newly registered domains and subdomains.

66. What is the purpose of an A record in DNS?

  • A) To translate a domain name to an IP address
  • B) To map email servers for a domain
  • C) To encrypt DNS queries
  • D) To store website authentication credentials
    ✅ Answer: A) To translate a domain name to an IP address
    Explanation: An A record (Address Record) maps a domain to its corresponding IP address.

67. What is a major risk of exposed environment (.env) files in web applications?

  • A) They reveal database credentials and API keys
  • B) They contain outdated software logs
  • C) They make SSL/TLS encryption weaker
  • D) They enable SQL injection attacks
    ✅ Answer: A) They reveal database credentials and API keys
    Explanation: Exposed .env files often contain sensitive credentials, API keys, and configurations.

68. What reconnaissance technique involves searching for JavaScript files to discover API endpoints?

  • A) Source Code Analysis
  • B) Network Packet Sniffing
  • C) ARP Poisoning
  • D) Port Forwarding
    ✅ Answer: A) Source Code Analysis
    Explanation: JavaScript files often contain API endpoints, which can help attackers identify backend services.

69. What is the main function of the host command in Linux?

  • A) To perform DNS lookups
  • B) To scan open ports
  • C) To monitor network traffic
  • D) To encrypt network packets
    ✅ Answer: A) To perform DNS lookups
    Explanation: The host command queries DNS records for domain names.

70. What is the primary use of the traceroute command?

  • A) To detect open ports
  • B) To map the network path between a source and destination
  • C) To crack hashed passwords
  • D) To perform SQL injection
    ✅ Answer: B) To map the network path between a source and destination
    Explanation: traceroute tracks the hops between a source and destination.

71. Which search engine is specifically designed for finding internet-connected devices?

  • A) Shodan
  • B) DuckDuckGo
  • C) Bing
  • D) Google
    ✅ Answer: A) Shodan
    Explanation: Shodan indexes publicly accessible internet-connected devices such as webcams, databases, and IoT devices.

72. What is a key reconnaissance technique for identifying firewall rules?

  • A) Firewalking
  • B) SQL Injection
  • C) Web Scraping
  • D) Email Harvesting
    ✅ Answer: A) Firewalking
    Explanation: Firewalking helps identify which ports are open or filtered by a firewall.

73. Which of the following is an example of an automated OSINT framework?

  • A) TheHarvester
  • B) Nikto
  • C) Hydra
  • D) SQLmap
    ✅ Answer: A) TheHarvester
    Explanation: TheHarvester collects OSINT data such as emails, subdomains, and IPs.

74. What is the primary purpose of WhatWeb?

  • A) To fingerprint web applications and technologies
  • B) To brute-force passwords
  • C) To scan networks for vulnerabilities
  • D) To monitor real-time traffic
    ✅ Answer: A) To fingerprint web applications and technologies
    Explanation: WhatWeb identifies technologies used in web applications, including CMS, frameworks, and plugins.

75. Which command can be used to check the SSL/TLS certificate of a website?

  • A) openssl s_client -connect <host>:443
  • B) nslookup -ssl <host>
  • C) nmap –sslscan <host>
  • D) host -tls <host>
    ✅ Answer: A) openssl s_client -connect <host>:443
    Explanation: This command retrieves SSL/TLS certificate details of a website.

76. Which OSINT tool is best suited for analyzing relationships between data points?

  • A) Maltego
  • B) Metasploit
  • C) Nessus
  • D) Hydra
    ✅ Answer: A) Maltego
    Explanation: Maltego is widely used for data visualization and link analysis in OSINT investigations.

77. What type of reconnaissance involves capturing network traffic in real-time?

  • A) Packet Sniffing
  • B) Web Crawling
  • C) Email Spoofing
  • D) Social Engineering
    ✅ Answer: A) Packet Sniffing
    Explanation: Packet Sniffing captures and analyzes network packets to gather data.

78. Which DNS query type retrieves all records for a domain?

  • A) AXFR
  • B) TXT
  • C) CNAME
  • D) PTR
    ✅ Answer: A) AXFR
    Explanation: The AXFR query type requests all DNS records, commonly used in zone transfers.

79. What is the purpose of OSINT (Open-Source Intelligence) in cybersecurity?

  • A) To gather publicly available information about a target
  • B) To exploit system vulnerabilities
  • C) To execute buffer overflow attacks
  • D) To create botnets
    ✅ Answer: A) To gather publicly available information about a target
    Explanation: OSINT involves collecting and analyzing publicly accessible data for intelligence.

80. What reconnaissance tool can analyze and visualize email header information?

  • A) EmailHeaderAnalyzer
  • B) Hashcat
  • C) SQLmap
  • D) Aircrack-ng
    ✅ Answer: A) EmailHeaderAnalyzer
    Explanation: This tool helps analyze email headers to track sender details and potential spoofing attempts.

81. What reconnaissance method involves checking publicly available financial records of a company?

  • A) Business Intelligence Gathering
  • B) Network Sniffing
  • C) DNS Poisoning
  • D) OS Fingerprinting
    ✅ Answer: A) Business Intelligence Gathering
    Explanation: Public financial records, such as SEC filings and annual reports, can provide valuable insights about a company’s operations.

82. What command is used to find the IP address of a website in Linux?

  • A) nslookup <domain>
  • B) ping <domain>
  • C) dig <domain>
  • D) All of the above
    ✅ Answer: D) All of the above
    Explanation: nslookup, ping, and dig all can retrieve the IP address of a domain.

83. What does the robots.txt file primarily do?

  • A) It prevents search engines from indexing certain pages
  • B) It blocks unauthorized users from accessing a website
  • C) It logs all HTTP requests to the server
  • D) It encrypts HTTP traffic
    ✅ Answer: A) It prevents search engines from indexing certain pages
    Explanation: The robots.txt file contains rules for web crawlers, specifying which pages should not be indexed.

84. Which reconnaissance tool is widely used to extract metadata from files?

  • A) ExifTool
  • B) Hydra
  • C) Aircrack-ng
  • D) SQLmap
    ✅ Answer: A) ExifTool
    Explanation: ExifTool is used to extract metadata from image files, PDFs, and other documents.

85. What reconnaissance technique involves analyzing website HTTP headers?

  • A) Web Enumeration
  • B) Banner Grabbing
  • C) Footprinting
  • D) URL Encoding
    ✅ Answer: B) Banner Grabbing
    Explanation: Banner grabbing helps attackers identify software versions and configurations from HTTP headers.

86. What is the purpose of a PTR (Pointer) record in DNS?

  • A) It resolves an IP address to a domain name (reverse lookup)
  • B) It maps a domain name to an IP address
  • C) It prevents unauthorized domain transfers
  • D) It encrypts DNS queries
    ✅ Answer: A) It resolves an IP address to a domain name (reverse lookup)
    Explanation: PTR records are used for reverse DNS lookups, mapping an IP address back to a hostname.

87. What does the whois command return when querying a domain?

  • A) Domain registration details
  • B) A list of all subdomains
  • C) Open ports of the domain
  • D) A list of login credentials
    ✅ Answer: A) Domain registration details
    Explanation: whois provides details such as domain owner, registrar, and expiration date.

88. What kind of information can be found in a sitemap.xml file?

  • A) A structured list of website URLs
  • B) Encrypted user passwords
  • C) Web application vulnerabilities
  • D) API tokens and credentials
    ✅ Answer: A) A structured list of website URLs
    Explanation: sitemap.xml files list all accessible URLs of a website for search engines.

89. What reconnaissance tool is useful for discovering exposed webcams and IoT devices?

  • A) Shodan
  • B) Wireshark
  • C) Hashcat
  • D) Gobuster
    ✅ Answer: A) Shodan
    Explanation: Shodan is a search engine for internet-connected devices, including webcams and IoT systems.

90. What OSINT framework is widely used for automated information gathering?

  • A) SpiderFoot
  • B) SQLmap
  • C) Netcat
  • D) Mimikatz
    ✅ Answer: A) SpiderFoot
    Explanation: SpiderFoot automates OSINT reconnaissance, collecting data from multiple sources.

91. What reconnaissance technique involves analyzing social media profiles?

  • A) Social Media Intelligence (SOCMINT)
  • B) Network Enumeration
  • C) Data Scraping
  • D) MITM Attacks
    ✅ Answer: A) Social Media Intelligence (SOCMINT)
    Explanation: SOCMINT involves gathering intelligence from social media platforms.

92. What method is commonly used to collect public email addresses of a target organization?

  • A) Google Dorking
  • B) Sniffing Network Traffic
  • C) Buffer Overflow
  • D) Keylogging
    ✅ Answer: A) Google Dorking
    Explanation: Google Dorking helps find exposed email addresses using advanced search queries.

93. What reconnaissance tool is best suited for performing network topology mapping?

  • A) Nmap
  • B) Hydra
  • C) Aircrack-ng
  • D) Nikto
    ✅ Answer: A) Nmap
    Explanation: Nmap provides detailed network topology maps and service information.

94. What reconnaissance method involves analyzing HTTP error pages for sensitive information leaks?

  • A) Web Application Fingerprinting
  • B) Server Banner Grabbing
  • C) Error-Based Information Disclosure
  • D) SQL Injection
    ✅ Answer: C) Error-Based Information Disclosure
    Explanation: Misconfigured error pages can leak sensitive details such as database structure and software versions.

95. What is a key advantage of using DNS brute-forcing for reconnaissance?

  • A) It can reveal hidden subdomains
  • B) It bypasses all firewalls
  • C) It exploits server vulnerabilities
  • D) It increases system performance
    ✅ Answer: A) It can reveal hidden subdomains
    Explanation: DNS brute-forcing helps uncover subdomains that are not publicly listed.

96. What is the role of metagoofil in reconnaissance?

  • A) Extracting metadata from public documents
  • B) Brute-forcing login credentials
  • C) Analyzing encrypted data
  • D) Conducting wireless attacks
    ✅ Answer: A) Extracting metadata from public documents
    Explanation: metagoofil extracts metadata from PDFs, Word documents, and presentations.

97. What reconnaissance tool is useful for discovering outdated website components?

  • A) WhatWeb
  • B) Hashcat
  • C) Ettercap
  • D) Aircrack-ng
    ✅ Answer: A) WhatWeb
    Explanation: WhatWeb detects outdated CMS versions, plugins, and software.

98. What is the primary function of Recon-ng in cybersecurity?

  • A) Automating OSINT reconnaissance
  • B) Cracking hashed passwords
  • C) Exploiting web applications
  • D) Performing SQL injections
    ✅ Answer: A) Automating OSINT reconnaissance
    Explanation: Recon-ng is an OSINT framework for automated data gathering.

99. What reconnaissance technique involves analyzing .onion websites?

  • A) Dark Web Intelligence (DARKINT)
  • B) Cross-Site Scripting (XSS)
  • C) MITM Attacks
  • D) Cross-Origin Resource Sharing (CORS)
    ✅ Answer: A) Dark Web Intelligence (DARKINT)
    Explanation: DARKINT is the collection of intelligence from dark web sources.

100. What reconnaissance tool is commonly used for passive DNS monitoring?

  • A) PassiveTotal
  • B) John the Ripper
  • C) Burp Suite
  • D) Metasploit
    ✅ Answer: A) PassiveTotal
    Explanation: PassiveTotal is used for passive DNS analysis, identifying historical DNS records.

101. What tool is commonly used to detect misconfigured cloud storage (e.g., open AWS S3 buckets)?

  • A) CloudEnum
  • B) WPScan
  • C) Nikto
  • D) Metasploit
    ✅ Answer: A) CloudEnum
    Explanation: CloudEnum is an OSINT tool used for discovering misconfigured cloud storage services like AWS S3, Google Cloud Storage, and Azure Blob.

102. What reconnaissance method involves analyzing HTTP status codes to gather intelligence?

  • A) Error-Based Information Disclosure
  • B) Code Injection
  • C) Session Hijacking
  • D) Cross-Site Scripting (XSS)
    ✅ Answer: A) Error-Based Information Disclosure
    Explanation: Certain HTTP status codes (e.g., 403 Forbidden, 500 Internal Server Error) can reveal security misconfigurations or sensitive information.

103. Which tool is useful for finding expired domains related to a target organization?

  • A) DomainHunter
  • B) SQLmap
  • C) Hydra
  • D) Maltego
    ✅ Answer: A) DomainHunter
    Explanation: DomainHunter helps identify expired domains that could be registered for phishing or reconnaissance purposes.

104. What type of reconnaissance involves analyzing JavaScript files for exposed API keys?

  • A) Source Code Review
  • B) DNS Spoofing
  • C) Packet Sniffing
  • D) Social Engineering
    ✅ Answer: A) Source Code Review
    Explanation: Examining JavaScript files in a web application can reveal sensitive API keys or internal endpoints.

105. What reconnaissance technique is used to find leaked credentials from past data breaches?

  • A) Credential Stuffing
  • B) OSINT Analysis
  • C) Dark Web Monitoring
  • D) Man-in-the-Middle Attack
    ✅ Answer: C) Dark Web Monitoring
    Explanation: Dark Web Monitoring searches breach databases and dark web forums for leaked credentials.

106. What is a key advantage of using Gobuster for reconnaissance?

  • A) It brute-forces directories and subdomains quickly
  • B) It encrypts all HTTP requests
  • C) It performs social engineering attacks
  • D) It detects SQL injection vulnerabilities
    ✅ Answer: A) It brute-forces directories and subdomains quickly
    Explanation: Gobuster is a fast directory and subdomain brute-forcing tool.

107. What reconnaissance technique involves analyzing .DS_Store files on web servers?

  • A) Extracting file and directory structures
  • B) Brute-forcing authentication credentials
  • C) Performing a denial-of-service attack
  • D) Enumerating DNS records
    ✅ Answer: A) Extracting file and directory structures
    Explanation: .DS_Store files, often found on misconfigured web servers, can reveal directory structures and file paths.

108. What type of information can be gathered from a website’s favicon hash?

  • A) Web application framework and server type
  • B) User passwords
  • C) SSL certificate expiration dates
  • D) Encryption key strength
    ✅ Answer: A) Web application framework and server type
    Explanation: Favicon hashes can help identify web technologies using tools like Shodan.

109. What reconnaissance technique involves monitoring GitHub repositories for leaked credentials?

  • A) Source Code Intelligence (SRCINT)
  • B) Credential Stuffing
  • C) Domain Hijacking
  • D) ARP Poisoning
    ✅ Answer: A) Source Code Intelligence (SRCINT)
    Explanation: SRCINT involves analyzing public GitHub repositories for leaked API keys, credentials, and sensitive information.

110. What OSINT tool is useful for monitoring dark web activities?

  • A) DarkTracer
  • B) WPScan
  • C) Nikto
  • D) Nmap
    ✅ Answer: A) DarkTracer
    Explanation: DarkTracer helps track data leaks and cyber threats on the dark web.

111. Which method is useful for analyzing exposed .git directories on web servers?

  • A) GitDumper
  • B) Dirb
  • C) Hydra
  • D) Ettercap
    ✅ Answer: A) GitDumper
    Explanation: GitDumper is used to extract .git repositories from exposed web directories.

112. What reconnaissance method involves monitoring SSL certificate transparency logs?

  • A) Detecting newly registered subdomains
  • B) Identifying open TCP ports
  • C) Cracking SSL encryption
  • D) Exploiting SQL vulnerabilities
    ✅ Answer: A) Detecting newly registered subdomains
    Explanation: SSL certificate transparency logs reveal newly issued certificates, which can expose subdomains.

113. What is a primary use of the tool amass?

  • A) Subdomain enumeration
  • B) Password cracking
  • C) Phishing attack simulation
  • D) Wireless penetration testing
    ✅ Answer: A) Subdomain enumeration
    Explanation: Amass is widely used for automated subdomain enumeration.

114. What reconnaissance technique is used to analyze historical DNS records?

  • A) Passive DNS Analysis
  • B) SSL/TLS Encryption Analysis
  • C) Network Traffic Inspection
  • D) SQL Injection
    ✅ Answer: A) Passive DNS Analysis
    Explanation: Passive DNS provides historical DNS records, useful for tracking infrastructure changes.

115. What is the purpose of a CTF (Capture The Flag) challenge in cybersecurity?

  • A) To test ethical hacking skills using simulated scenarios
  • B) To exploit real-world vulnerabilities
  • C) To encrypt DNS queries
  • D) To bypass firewalls
    ✅ Answer: A) To test ethical hacking skills using simulated scenarios
    Explanation: CTF challenges help security professionals practice reconnaissance and exploitation techniques in a legal environment.

116. What OSINT tool helps track corporate leaks and data breaches?

  • A) IntelX
  • B) SQLmap
  • C) John the Ripper
  • D) Hydra
    ✅ Answer: A) IntelX
    Explanation: IntelX helps researchers find leaked corporate data, credentials, and breach information.

117. What is the purpose of a honeypot in cybersecurity?

  • A) To detect and log unauthorized reconnaissance activities
  • B) To encrypt sensitive user data
  • C) To hide real network infrastructure
  • D) To simulate web application vulnerabilities
    ✅ Answer: A) To detect and log unauthorized reconnaissance activities
    Explanation: A honeypot is a decoy system designed to attract and monitor attackers.

118. What is the significance of the security.txt file on websites?

  • A) It provides contact information for responsible disclosure of vulnerabilities
  • B) It prevents search engines from indexing pages
  • C) It encrypts HTTP responses
  • D) It stores website user credentials
    ✅ Answer: A) It provides contact information for responsible disclosure of vulnerabilities
    Explanation: The security.txt file helps ethical hackers report vulnerabilities to the website administrators.

119. What reconnaissance method involves analyzing a target company’s job postings?

  • A) Identifying software and technology stack
  • B) Exploiting SQL injection vulnerabilities
  • C) Conducting phishing attacks
  • D) Brute-forcing login pages
    ✅ Answer: A) Identifying software and technology stack
    Explanation: Job postings often mention technologies used by a company, which can be useful for reconnaissance.

120. What reconnaissance tool can generate an organizational threat report?

  • A) SpiderFoot
  • B) Hydra
  • C) Mimikatz
  • D) SQLmap
    ✅ Answer: A) SpiderFoot
    Explanation: SpiderFoot is an OSINT tool used for threat intelligence and reconnaissance.

121. Which OSINT tool allows you to visualize relationships between individuals, companies, and domains?

  • A) Maltego
  • B) Nikto
  • C) Burp Suite
  • D) WPScan
    ✅ Answer: A) Maltego
    Explanation: Maltego is a data mining and visualization tool used for intelligence gathering.

122. What does a TXT record in DNS typically contain?

  • A) Miscellaneous information such as SPF rules
  • B) IP address mapping
  • C) Domain registration details
  • D) Reverse DNS records
    ✅ Answer: A) Miscellaneous information such as SPF rules
    Explanation: TXT records store text-based data, such as SPF configurations and domain verifications.

123. What technique involves monitoring RSS feeds for updates about a target?

  • A) Passive OSINT Collection
  • B) Web Scraping
  • C) Brute Force Attacks
  • D) Packet Sniffing
    ✅ Answer: A) Passive OSINT Collection
    Explanation: RSS feeds can reveal updates, blog posts, and new content that provide intelligence on a target.

124. What OSINT tool can help extract information from social media platforms?

  • A) Sherlock
  • B) SQLmap
  • C) Nikto
  • D) Nmap
    ✅ Answer: A) Sherlock
    Explanation: Sherlock finds social media accounts associated with a username.

125. What reconnaissance technique involves analyzing publicly available GitHub repositories for sensitive information?

  • A) Git Dorking
  • B) DNS Enumeration
  • C) Reverse Engineering
  • D) SQL Injection
    ✅ Answer: A) Git Dorking
    Explanation: Git Dorking is the process of searching public GitHub repositories for leaked credentials, API keys, and configuration files.

126. What is a major risk of exposed .bash_history files on a web server?

  • A) It can reveal previously executed commands, including credentials
  • B) It allows attackers to modify firewall settings
  • C) It stores encrypted user passwords
  • D) It weakens SSL/TLS encryption
    ✅ Answer: A) It can reveal previously executed commands, including credentials
    Explanation: .bash_history files contain shell commands that can expose sensitive information.

127. What reconnaissance tool specializes in DNS enumeration?

  • A) Fierce
  • B) Nmap
  • C) Hydra
  • D) Ettercap
    ✅ Answer: A) Fierce
    Explanation: Fierce is an OSINT tool used to gather DNS records and discover subdomains.

128. What does DNS PTR (Pointer) records help with?

  • A) Performing a reverse DNS lookup
  • B) Resolving domain names to IP addresses
  • C) Redirecting traffic to another domain
  • D) Storing email encryption keys
    ✅ Answer: A) Performing a reverse DNS lookup
    Explanation: PTR records map an IP address back to a domain name.

129. What is a potential risk of exposed .htaccess files?

  • A) They can reveal server security configurations
  • B) They allow unrestricted access to a database
  • C) They store encrypted password hashes
  • D) They contain SSL private keys
    ✅ Answer: A) They can reveal server security configurations
    Explanation: .htaccess files control server settings and can expose security rules if misconfigured.

130. Which OSINT tool can be used to track Bitcoin transactions?

  • A) Blockchair
  • B) Metasploit
  • C) Gobuster
  • D) WPScan
    ✅ Answer: A) Blockchair
    Explanation: Blockchair allows users to search and analyze blockchain transactions.

131. What reconnaissance tool is useful for detecting subdomains through brute force?

  • A) Sublist3r
  • B) Nikto
  • C) Burp Suite
  • D) Snort
    ✅ Answer: A) Sublist3r
    Explanation: Sublist3r is widely used for subdomain enumeration through brute force techniques.

132. What reconnaissance tool can help identify exposed email addresses associated with a domain?

  • A) Hunter.io
  • B) Netcat
  • C) Snort
  • D) Hashcat
    ✅ Answer: A) Hunter.io
    Explanation: Hunter.io helps discover professional email addresses associated with a domain.

133. What reconnaissance technique involves analyzing browser extensions used by a target?

  • A) Fingerprinting
  • B) Keylogging
  • C) Packet Sniffing
  • D) SQL Injection
    ✅ Answer: A) Fingerprinting
    Explanation: Browser fingerprinting helps identify a user’s browser, plugins, and extensions.

134. What is the purpose of Recon-ng in information gathering?

  • A) Automating OSINT reconnaissance
  • B) Exploiting web applications
  • C) Cracking hashed passwords
  • D) Detecting SQL injection vulnerabilities
    ✅ Answer: A) Automating OSINT reconnaissance
    Explanation: Recon-ng automates various OSINT techniques for intelligence gathering.

135. What is a common method of discovering hidden login pages on a website?

  • A) Directory Bruteforcing
  • B) Reverse Engineering
  • C) Sniffing Network Traffic
  • D) SQL Injection
    ✅ Answer: A) Directory Bruteforcing
    Explanation: Tools like Gobuster or Dirb can discover hidden login pages.

136. What is a potential risk of exposed .config files in web applications?

  • A) They may contain database credentials and API keys
  • B) They can be used for SQL Injection attacks
  • C) They store browser history
  • D) They are used for DNS spoofing
    ✅ Answer: A) They may contain database credentials and API keys
    Explanation: Configuration files often store sensitive data such as database connections and API keys.

137. What OSINT tool specializes in mapping out Wi-Fi networks?

  • A) Kismet
  • B) Hydra
  • C) Metasploit
  • D) Maltego
    ✅ Answer: A) Kismet
    Explanation: Kismet is a tool used for wireless network discovery and analysis.

138. What reconnaissance technique involves analyzing CSS and JavaScript files for hidden URLs?

  • A) Code Review
  • B) Brute Force Attacks
  • C) DNS Poisoning
  • D) Session Hijacking
    ✅ Answer: A) Code Review
    Explanation: JavaScript and CSS files often contain hidden paths and API endpoints.

139. What reconnaissance technique involves monitoring DNS records for recent changes?

  • A) Passive DNS Monitoring
  • B) Cross-Site Scripting (XSS)
  • C) Code Injection
  • D) Phishing
    ✅ Answer: A) Passive DNS Monitoring
    Explanation: Passive DNS Monitoring helps track changes in domain registrations and IP mappings.

140. What reconnaissance tool is useful for analyzing public cloud assets?

  • A) CloudMapper
  • B) SQLmap
  • C) WPScan
  • D) Netcat
    ✅ Answer: A) CloudMapper
    Explanation: CloudMapper is a tool used to map and analyze cloud infrastructure.

141. What reconnaissance technique involves analyzing SSL/TLS certificates for domain information?

  • A) Certificate Transparency Monitoring
  • B) DNS Spoofing
  • C) Brute Force Attacks
  • D) Social Engineering
    ✅ Answer: A) Certificate Transparency Monitoring
    Explanation: Certificate transparency logs help identify domain names and subdomains registered using SSL certificates.

142. What reconnaissance tool can help identify running services and open ports on a target system?

  • A) Nmap
  • B) Wireshark
  • C) Hashcat
  • D) Aircrack-ng
    ✅ Answer: A) Nmap
    Explanation: Nmap is widely used for port scanning and service enumeration.

143. What type of reconnaissance technique involves monitoring job postings of a company?

  • A) Identifying technology stack and infrastructure
  • B) Conducting phishing attacks
  • C) DNS Spoofing
  • D) Website Defacement
    ✅ Answer: A) Identifying technology stack and infrastructure
    Explanation: Job postings often reveal tools, technologies, and software stacks used within a company.

144. What OSINT tool is useful for scraping websites and extracting data?

  • A) Scrapy
  • B) Hydra
  • C) WPScan
  • D) Netcat
    ✅ Answer: A) Scrapy
    Explanation: Scrapy is a web scraping framework that allows automated extraction of data from websites.

145. What reconnaissance technique involves searching for leaked credentials on pastebin-like websites?

  • A) Credential Leak Monitoring
  • B) SQL Injection
  • C) MITM Attack
  • D) IP Spoofing
    ✅ Answer: A) Credential Leak Monitoring
    Explanation: Public paste sites often contain leaked usernames and passwords from data breaches.

146. What reconnaissance tool is used to map cloud assets and configurations?

  • A) CloudMapper
  • B) SQLmap
  • C) WPScan
  • D) Nikto
    ✅ Answer: A) CloudMapper
    Explanation: CloudMapper is a tool for visualizing and analyzing cloud infrastructure.

147. What reconnaissance method is used to analyze HTTP headers for technology fingerprinting?

  • A) Banner Grabbing
  • B) SQL Injection
  • C) Phishing
  • D) Sniffing
    ✅ Answer: A) Banner Grabbing
    Explanation: Banner grabbing helps determine the server type and technology stack based on HTTP headers.

148. What is a common risk of exposed .log files on a web server?

  • A) They may contain debugging information, user credentials, and server errors
  • B) They allow an attacker to perform SQL injection
  • C) They store SSL private keys
  • D) They reveal SSH login details
    ✅ Answer: A) They may contain debugging information, user credentials, and server errors
    Explanation: Log files can expose sensitive information such as error messages, authentication failures, and API calls.

149. What reconnaissance technique is used to analyze the time-to-live (TTL) values in IP packets?

  • A) Network Fingerprinting
  • B) SQL Injection
  • C) Brute Force Attack
  • D) Phishing
    ✅ Answer: A) Network Fingerprinting
    Explanation: TTL values can help determine the operating system and network characteristics of a target.

150. What reconnaissance tool is useful for discovering exposed Google Drive or Dropbox links?

  • A) Google Dorking
  • B) Hydra
  • C) Nikto
  • D) SQLmap
    ✅ Answer: A) Google Dorking
    Explanation: Google Dorking can reveal sensitive cloud storage links that were unintentionally indexed.

151. What type of reconnaissance involves analyzing a target’s DNS TXT records?

  • A) Gathering SPF, DKIM, and DMARC information
  • B) Exploiting open DNS resolvers
  • C) Conducting brute-force password attacks
  • D) Injecting malicious SQL commands
    ✅ Answer: A) Gathering SPF, DKIM, and DMARC information
    Explanation: TXT records often contain security-related configurations, such as SPF (Sender Policy Framework).

152. What reconnaissance technique involves searching for exposed .env files?

  • A) Extracting API keys, database credentials, and configurations
  • B) Brute-forcing login pages
  • C) Injecting malicious JavaScript
  • D) Defacing the website
    ✅ Answer: A) Extracting API keys, database credentials, and configurations
    Explanation: Exposed .env files often contain sensitive credentials used in web applications.

153. What tool is best suited for analyzing leaked data sets from data breaches?

  • A) Have I Been Pwned (HIBP)
  • B) Nikto
  • C) Burp Suite
  • D) SQLmap
    ✅ Answer: A) Have I Been Pwned (HIBP)
    Explanation: HIBP allows users to check if their credentials were leaked in past breaches.

154. What reconnaissance tool is useful for detecting open GraphQL endpoints?

  • A) GraphQLmap
  • B) Nessus
  • C) Nikto
  • D) Nmap
    ✅ Answer: A) GraphQLmap
    Explanation: GraphQLmap is designed to find and exploit insecure GraphQL implementations.

155. What reconnaissance tool is commonly used for scanning IoT devices?

  • A) Shodan
  • B) Nmap
  • C) Metasploit
  • D) Aircrack-ng
    ✅ Answer: A) Shodan
    Explanation: Shodan is a search engine for internet-connected devices, including IoT and industrial systems.

156. What technique is used to find publicly available PDF, DOC, and XLS files on a target’s domain?

  • A) Google Dorking
  • B) DNS Spoofing
  • C) Man-in-the-Middle Attacks
  • D) Buffer Overflow Exploitation
    ✅ Answer: A) Google Dorking
    Explanation: Advanced Google search queries can locate publicly accessible documents on a website.

157. What reconnaissance tool specializes in extracting metadata from images and documents?

  • A) ExifTool
  • B) WPScan
  • C) Gobuster
  • D) Hydra
    ✅ Answer: A) ExifTool
    Explanation: ExifTool extracts metadata from images, PDFs, and other documents.

158. What reconnaissance technique involves monitoring changes in WHOIS records?

  • A) Tracking domain ownership and expiration dates
  • B) Exploiting SQL injection vulnerabilities
  • C) Cracking hashed passwords
  • D) Spoofing DNS records
    ✅ Answer: A) Tracking domain ownership and expiration dates
    Explanation: WHOIS record monitoring helps track domain ownership and infrastructure changes.

159. What reconnaissance technique is useful for identifying CDN (Content Delivery Network) services?

  • A) DNS Lookup and Traceroute
  • B) SQL Injection
  • C) Cross-Site Scripting (XSS)
  • D) Reverse Shell Exploitation
    ✅ Answer: A) DNS Lookup and Traceroute
    Explanation: CDN services can be identified by checking DNS records and traceroute results.

160. What reconnaissance technique involves analyzing website analytics services such as Google Analytics?

  • A) Identifying tracking IDs to discover linked websites
  • B) Bypassing website authentication
  • C) Conducting SQL Injection
  • D) Performing a DoS attack
    ✅ Answer: A) Identifying tracking IDs to discover linked websites
    Explanation: Google Analytics IDs can be used to find other websites operated by the same organization.

161. What reconnaissance technique involves searching for exposed backup.zip or .bak files on a target website?

  • A) Finding backup files that may contain sensitive information
  • B) Conducting a brute-force attack
  • C) Executing a Cross-Site Scripting (XSS) attack
  • D) Performing a Denial-of-Service (DoS) attack
    ✅ Answer: A) Finding backup files that may contain sensitive information
    Explanation: Backup files often contain old source code, configurations, and sensitive data.

162. What reconnaissance tool is designed for identifying open Amazon S3 buckets?

  • A) S3Scanner
  • B) WPScan
  • C) SQLmap
  • D) Aircrack-ng
    ✅ Answer: A) S3Scanner
    Explanation: S3Scanner helps identify misconfigured AWS S3 buckets that are publicly accessible.

163. What type of reconnaissance involves analyzing the favicon of a website to fingerprint its technology stack?

  • A) Hash-based favicon fingerprinting
  • B) Cross-Site Request Forgery (CSRF)
  • C) SSL Stripping
  • D) Clickjacking
    ✅ Answer: A) Hash-based favicon fingerprinting
    Explanation: The hash of a favicon can be used to identify the web technologies a site is using.

164. What reconnaissance tool is useful for analyzing passive DNS records?

  • A) PassiveTotal
  • B) Burp Suite
  • C) Hydra
  • D) Mimikatz
    ✅ Answer: A) PassiveTotal
    Explanation: PassiveTotal helps track historical DNS changes for domains.

165. What reconnaissance method involves using crt.sh to find subdomains of a target?

  • A) Searching Certificate Transparency Logs
  • B) Exploiting DNS Spoofing
  • C) Conducting SQL Injection
  • D) Analyzing network latency
    ✅ Answer: A) Searching Certificate Transparency Logs
    Explanation: crt.sh helps discover subdomains by searching SSL certificate registrations.

166. What OSINT tool is useful for analyzing LinkedIn employee profiles for footprinting?

  • A) LinkedInt
  • B) Maltego
  • C) Nikto
  • D) SQLmap
    ✅ Answer: A) LinkedInt
    Explanation: LinkedInt extracts and organizes employee data from LinkedIn.

167. What reconnaissance tool helps find exposed APIs on a target system?

  • A) Recon-ng
  • B) Wireshark
  • C) Metasploit
  • D) John the Ripper
    ✅ Answer: A) Recon-ng
    Explanation: Recon-ng automates OSINT collection, including API discovery.

168. What reconnaissance technique is used to identify shared hosting infrastructure?

  • A) Reverse IP Lookup
  • B) DNS Spoofing
  • C) Port Forwarding
  • D) Phishing
    ✅ Answer: A) Reverse IP Lookup
    Explanation: Reverse IP lookups reveal other domains hosted on the same server.

169. What reconnaissance tool is useful for identifying exposed FTP servers?

  • A) Nmap
  • B) Hydra
  • C) Snort
  • D) John the Ripper
    ✅ Answer: A) Nmap
    Explanation: Nmap can scan for open FTP ports and detect anonymous login configurations.

170. What reconnaissance method involves extracting EXIF metadata from images?

  • A) Analyzing location, camera settings, and timestamps
  • B) Injecting malicious JavaScript
  • C) Bypassing Content Security Policy (CSP)
  • D) Exploiting SQL injection vulnerabilities
    ✅ Answer: A) Analyzing location, camera settings, and timestamps
    Explanation: EXIF metadata provides detailed information about images, including GPS coordinates.

171. What OSINT tool is useful for extracting subdomains from threat intelligence feeds?

  • A) Amass
  • B) WPScan
  • C) Nessus
  • D) SQLmap
    ✅ Answer: A) Amass
    Explanation: Amass automates subdomain enumeration using OSINT sources.

172. What reconnaissance method involves tracking SSL certificate expiration dates?

  • A) Monitoring potential domain takeovers
  • B) Conducting phishing attacks
  • C) Sniffing encrypted network traffic
  • D) Cracking SSL encryption
    ✅ Answer: A) Monitoring potential domain takeovers
    Explanation: Expired SSL certificates can indicate abandoned domains, making them vulnerable to takeovers.

173. What reconnaissance technique involves monitoring GitHub commits for leaked credentials?

  • A) Git Dorking
  • B) Session Hijacking
  • C) Man-in-the-Middle Attack
  • D) Domain Hijacking
    ✅ Answer: A) Git Dorking
    Explanation: Git Dorking finds sensitive information in public repositories.

174. What OSINT tool is useful for monitoring threat intelligence feeds?

  • A) OpenCTI
  • B) Hydra
  • C) Metasploit
  • D) Aircrack-ng
    ✅ Answer: A) OpenCTI
    Explanation: OpenCTI helps track and analyze cybersecurity threat intelligence.

175. What reconnaissance tool is commonly used to enumerate open RDP (Remote Desktop Protocol) services?

  • A) Shodan
  • B) Nikto
  • C) John the Ripper
  • D) WPScan
    ✅ Answer: A) Shodan
    Explanation: Shodan indexes publicly accessible RDP services.

176. What reconnaissance technique involves tracking domain registration changes over time?

  • A) WHOIS History Lookup
  • B) Network Sniffing
  • C) SQL Injection
  • D) IP Spoofing
    ✅ Answer: A) WHOIS History Lookup
    Explanation: WHOIS history shows past domain ownership and infrastructure changes.

177. What reconnaissance tool is useful for identifying sensitive files left exposed on web servers?

  • A) Dirbuster
  • B) Hydra
  • C) Wireshark
  • D) Snort
    ✅ Answer: A) Dirbuster
    Explanation: Dirbuster is used to find hidden directories and exposed files.

178. What reconnaissance tool is used to monitor brand mentions across the dark web?

  • A) DarkTracer
  • B) Nikto
  • C) WPScan
  • D) SQLmap
    ✅ Answer: A) DarkTracer
    Explanation: DarkTracer helps track brand mentions and leaked data on the dark web.

179. What reconnaissance technique involves analyzing SSL/TLS cipher suites for vulnerabilities?

  • A) Detecting outdated encryption methods
  • B) Injecting malicious payloads
  • C) Bypassing firewall rules
  • D) Exploiting DNS misconfigurations
    ✅ Answer: A) Detecting outdated encryption methods
    Explanation: Weak cipher suites can indicate insecure encryption configurations.

180. What reconnaissance technique involves searching for exposed configuration files such as wp-config.php?

  • A) Extracting database credentials
  • B) Exploiting DNS records
  • C) Conducting Cross-Site Scripting (XSS)
  • D) Performing brute-force attacks
    ✅ Answer: A) Extracting database credentials
    Explanation: wp-config.php files often contain database credentials and secret keys.

181. What reconnaissance tool is useful for analyzing JavaScript files to identify hidden API endpoints?

  • A) LinkFinder
  • B) Snort
  • C) WPScan
  • D) Hydra
    ✅ Answer: A) LinkFinder
    Explanation: LinkFinder extracts URLs and API endpoints from JavaScript files.

182. What reconnaissance technique involves searching for hardcoded credentials in mobile application source code?

  • A) Static Code Analysis
  • B) Dynamic Network Sniffing
  • C) SSL Stripping
  • D) Packet Injection
    ✅ Answer: A) Static Code Analysis
    Explanation: Static analysis inspects source code for hardcoded API keys and credentials.

183. What reconnaissance method involves tracking changes in Google Analytics tracking IDs?

  • A) Identifying related domains owned by the same organization
  • B) Exploiting session cookies
  • C) Extracting user credentials
  • D) Manipulating HTTP headers
    ✅ Answer: A) Identifying related domains owned by the same organization
    Explanation: Google Analytics IDs can link multiple websites operated by the same entity.

184. What reconnaissance tool helps discover exposed .git repositories on web servers?

  • A) GitTools
  • B) Metasploit
  • C) Nikto
  • D) Aircrack-ng
    ✅ Answer: A) GitTools
    Explanation: GitTools retrieves and analyzes exposed .git repositories.

185. What reconnaissance technique involves searching for leaked documents on Google Drive or OneDrive?

  • A) Cloud Dorking
  • B) Port Scanning
  • C) IP Spoofing
  • D) DNS Poisoning
    ✅ Answer: A) Cloud Dorking
    Explanation: Cloud Dorking uses search engine queries to locate publicly available files.

186. What reconnaissance tool helps track leaked credentials across public breach databases?

  • A) Dehashed
  • B) Hydra
  • C) Nikto
  • D) WPScan
    ✅ Answer: A) Dehashed
    Explanation: Dehashed allows searching for compromised usernames and passwords.

187. What reconnaissance technique involves monitoring JavaScript frameworks used by a target?

  • A) Web Technology Fingerprinting
  • B) Network Packet Analysis
  • C) Buffer Overflow Exploitation
  • D) Code Injection
    ✅ Answer: A) Web Technology Fingerprinting
    Explanation: Fingerprinting identifies libraries, frameworks, and CMS used by a web application.

188. What reconnaissance tool can be used to analyze website tracking scripts and analytics codes?

  • A) Wappalyzer
  • B) Hydra
  • C) John the Ripper
  • D) SQLmap
    ✅ Answer: A) Wappalyzer
    Explanation: Wappalyzer detects website analytics scripts, advertising services, and other technologies.

189. What reconnaissance method involves identifying the JavaScript dependencies of a web application?

  • A) Dependency Enumeration
  • B) DNS Spoofing
  • C) SQL Injection
  • D) MITM Attack
    ✅ Answer: A) Dependency Enumeration
    Explanation: Dependency enumeration helps find outdated libraries that could be vulnerable.

190. What reconnaissance technique is used to analyze certificate chains of an HTTPS website?

  • A) SSL Certificate Chain Analysis
  • B) Cross-Origin Resource Sharing (CORS) Exploitation
  • C) SQL Injection
  • D) Credential Stuffing
    ✅ Answer: A) SSL Certificate Chain Analysis
    Explanation: Analyzing SSL chains helps detect expired, weak, or misconfigured certificates.

191. What reconnaissance method involves analyzing a website’s JavaScript files for API tokens?

  • A) API Token Discovery
  • B) Brute Force Attacks
  • C) SQL Injection
  • D) Cross-Site Scripting (XSS)
    ✅ Answer: A) API Token Discovery
    Explanation: Exposed API tokens can allow unauthorized access to backend services.

192. What reconnaissance tool is useful for identifying outdated CMS versions on a target website?

  • A) WhatWeb
  • B) Aircrack-ng
  • C) Mimikatz
  • D) Snort
    ✅ Answer: A) WhatWeb
    Explanation: WhatWeb identifies CMS versions and plugins to find potential vulnerabilities.

193. What reconnaissance tool is used to enumerate subdomains using passive sources?

  • A) SubFinder
  • B) John the Ripper
  • C) Ettercap
  • D) Netcat
    ✅ Answer: A) SubFinder
    Explanation: SubFinder discovers subdomains without actively interacting with the target.

194. What reconnaissance method involves analyzing public bug bounty reports for security vulnerabilities?

  • A) Vulnerability Intelligence Gathering
  • B) SQL Injection
  • C) SSL Stripping
  • D) Session Fixation
    ✅ Answer: A) Vulnerability Intelligence Gathering
    Explanation: Public bug bounty reports provide insights into common vulnerabilities affecting a target.

195. What reconnaissance tool is used to extract metadata from PDF documents?

  • A) PDF-Analyzer
  • B) WPScan
  • C) SQLmap
  • D) Hydra
    ✅ Answer: A) PDF-Analyzer
    Explanation: PDF-Analyzer extracts metadata such as author names, timestamps, and software versions.

196. What reconnaissance technique involves monitoring GitHub Gists for exposed credentials?

  • A) GitHub Secrets Monitoring
  • B) Cross-Site Request Forgery (CSRF)
  • C) Clickjacking
  • D) Brute Force Attacks
    ✅ Answer: A) GitHub Secrets Monitoring
    Explanation: GitHub Gists sometimes contain leaked API keys, credentials, or other sensitive data.

197. What reconnaissance method involves monitoring RSS feeds for updates about a target?

  • A) Passive OSINT Collection
  • B) Man-in-the-Middle (MITM) Attack
  • C) Web Defacement
  • D) Directory Traversal
    ✅ Answer: A) Passive OSINT Collection
    Explanation: RSS feeds can reveal updates, press releases, and other information useful for OSINT.

198. What reconnaissance tool helps track changes in SSL certificates?

  • A) CertSpotter
  • B) Aircrack-ng
  • C) Snort
  • D) Hydra
    ✅ Answer: A) CertSpotter
    Explanation: CertSpotter monitors SSL/TLS certificate changes to detect new subdomains or domain takeovers.

199. What reconnaissance technique is useful for finding leaked SSH private keys?

  • A) Searching Pastebin and GitHub repositories
  • B) Conducting a Denial-of-Service (DoS) attack
  • C) Manipulating HTTP headers
  • D) Exploiting weak session cookies
    ✅ Answer: A) Searching Pastebin and GitHub repositories
    Explanation: SSH keys are sometimes leaked in public repositories or paste sites.

200. What reconnaissance method involves analyzing HTTP response headers for security misconfigurations?

  • A) Security Header Analysis
  • B) Brute Force Attack
  • C) SQL Injection
  • D) Phishing
    ✅ Answer: A) Security Header Analysis
    Explanation: HTTP headers reveal security configurations such as Content Security Policy (CSP), HSTS, and X-Frame-Options.