🔍 Information Gathering and Vulnerability Scanning - PENTEST Practice Questions

Perform reconnaissance, OSINT, scanning, and vulnerability identification.

5Questions Available
1Exam Domains

Practice Information Gathering Questions Now

Start a timed practice session focusing on Information Gathering and Vulnerability Scanning topics from the PENTEST question bank.

Start PENTEST Practice Quiz →

PENTEST Information Gathering Question Bank (5 Questions)

Browse all 5 practice questions covering Information Gathering and Vulnerability Scanning for the PENTEST certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

  1. Question 1Reconnaissance & Enumeration

    A penetration tester executes: `nmap -sS -p 1-1000 -T4 192.168.1.0/24`. What type of scan is being performed?

    ATCP connect scan of common ports
    BSYN stealth scan of ports 1-1000 at aggressive timing
    CUDP scan of all ports
    DXMAS scan for firewall evasion
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    The -sS flag specifies a SYN stealth scan (half-open scan), -p 1-1000 scans ports 1 through 1000, and -T4 sets aggressive timing. SYN scans are stealthier than full TCP connect scans because they don't complete the three-way handshake.

  2. Question 2Reconnaissance & Enumeration

    A penetration tester needs to scan a target without being detected by the intrusion detection system. Which Nmap technique is MOST useful for evasion?

    Anmap -sT -T5 target
    Bnmap -sS -f -T2 --data-length 24 target
    Cnmap -sV -A target
    Dnmap -sn target
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Using SYN scan (-sS) with packet fragmentation (-f), slow timing (-T2), and appending random data (--data-length) helps evade IDS detection. The -T5 timing is extremely aggressive and easily detected, while -A enables OS detection and scripts that generate more traffic.

  3. Question 3Vulnerability Discovery & Analysis

    A penetration tester is choosing between Nessus and OpenVAS for vulnerability scanning. Which statement is MOST accurate?

    ANessus is open-source while OpenVAS is commercial only
    BNessus is a commercial scanner with a large plugin database, while OpenVAS is open-source with community-maintained feeds
    CBoth tools only scan web applications
    DOpenVAS cannot detect vulnerabilities on Windows systems
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Nessus (by Tenable) is a commercial vulnerability scanner known for its extensive plugin library and compliance checks. OpenVAS is an open-source alternative maintained by Greenbone Networks with community-driven vulnerability feeds. Both can scan network infrastructure and hosts.

  4. Question 4Reconnaissance & Enumeration

    A penetration tester wants to discover all live hosts on a /24 subnet without performing a port scan. Which Nmap command is MOST appropriate?

    Anmap -sn 192.168.1.0/24
    Bnmap -sS 192.168.1.0/24
    Cnmap -sV 192.168.1.0/24
    Dnmap -O 192.168.1.0/24
    Show Answer & Explanation
    Correct Answer: A
    Explanation:

    The -sn flag performs a ping sweep (host discovery only) without scanning any ports. This quickly identifies live hosts on the subnet using ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests.

  5. Question 5Reconnaissance & Enumeration

    A penetration tester runs an Nmap scan and the output shows a port as 'open|filtered'. What does this mean?

    AThe port is definitely open
    BNmap cannot determine whether the port is open or filtered because it received no response
    CThe port is closed
    DThe scan was blocked by the tester's firewall
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    The 'open|filtered' state means Nmap could not determine whether the port is open or being filtered. This commonly occurs with UDP scans, where the lack of a response could mean either the port is open (accepting the packet silently) or a firewall is dropping the packet.

Key Information Gathering Concepts for PENTEST

reconnaissanceosintnmapscanningenumerationvulnerability

PENTEST Information Gathering Exam Tips

Information Gathering and Vulnerability Scanning questions in PENTEST are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: reconnaissance, osint, nmap, scanning, enumeration, vulnerability.

What PENTEST Expects

  • Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
  • Information Gathering scenarios for PENTEST are frequently mapped to Domain 2 (22%), so read the objective carefully before picking controls or architecture.
  • Expect multi-service scenarios where Information Gathering interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and managed-service best practices.

High-Value Information Gathering Concepts

  • Know the core Information Gathering building blocks cold: reconnaissance, osint, nmap, scanning.
  • Review the edge-case features and limits for enumeration, vulnerability; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Information Gathering pairs with Attacks & Exploits, Planning & Scoping in real deployment patterns.
  • For PENTEST, explain why the chosen Information Gathering design meets reliability, security, and cost expectations better than the alternatives.

Common PENTEST Traps

  • Watch for answers that partially solve the requirement but miss operational constraints.
  • Questions in Information Gathering and Vulnerability Scanning often include distractors that look correct for Information Gathering but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Information Gathering implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Information Gathering and Vulnerability Scanning (22%) outcomes for PENTEST?
  • Can you explain security and access boundaries for Information Gathering without relying on default-open assumptions?
  • Can you describe how Information Gathering integrates with Attacks & Exploits and Planning & Scoping during failure, scaling, and monitoring events?

Exam Domains Covering Information Gathering

Domain 2Information Gathering and Vulnerability Scanning22%

Related Resources

🎯 Free PENTEST Mock Exam📝 Attacks & Exploits Questions📝 Planning & Scoping Questions

More PENTEST Study Resources

← PENTEST Study Hub30-Day Study PlanFull Practice Exam