CompTIA PenTest+ Domain 2: Reconnaissance and Enumeration

A full port scan sends probe packets directly to the target hosts, which is direct interaction the target can detect, and that hands-on probing is exactly what defines active reconnaissance.

• APulling registration data from a public WHOIS registry never touches the client's own systems, so it is passive intelligence gathering rather than active reconnaissance involving direct interaction.
• CReading a search engine's cached copies queries the search provider, not the target, so no traffic reaches the client and the activity remains passive reconnaissance throughout.
• DBrowsing public social media collects already-published information without ever contacting the target's infrastructure, making it passive open-source intelligence rather than an active, detectable probe.

WHOIS lets anyone query registry data for a registered domain, returning its assigned IP blocks, contact information, and DNS name servers without sending any traffic to the target's hosts.

• AA reverse DNS sweep maps IP addresses back to host names, but it does not return registrar contacts or the registered ownership of the address blocks the tester needs.
• BA service-version scan actively probes open ports on the target hosts; it identifies running software, not the public registration ownership, contacts, and name servers of the domain.
• DCertificate transparency logs reveal certificates and subdomains, but they do not hold registrar contact records or the network-block ownership that a WHOIS registry query returns.

Certificate Transparency logs publicly record issued TLS certificates and the host names they cover, so searching them reveals subdomains and organization details without any direct interaction with the target.

• BA zone transfer requests records straight from the target's name server, which is a direct query against its infrastructure, not a search of independently logged public certificate data.
• CA WHOIS lookup returns domain registration and contact details from the registry; it does not enumerate the issued TLS certificates and their host names that reveal subdomains.
• DSweeping for SNMP community strings actively probes devices for management data; it has nothing to do with reading publicly logged certificate records to discover a target's subdomains.

Placing the interface in promiscuous mode to passively access data in transit, while sending nothing to the hosts, is exactly passive network sniffing of the captured traffic.

• AActive service enumeration transmits crafted requests to each host to identify running services; the described task injects no traffic at all, so it is the opposite of active probing.
• BDNS brute forcing actively sends many guessed-subdomain queries to a resolver; the scenario only captures existing traffic without sending requests, so this label does not fit.
• CBanner grabbing opens connections to services to read their identifying banners, which is direct interaction; the tester here only listens to traffic and sends nothing to the hosts.

theHarvester performs OSINT gathering, collecting names, emails, IP addresses, and subdomains from multiple public resources, which is precisely the email-and-subdomain harvesting the tester wants.

• AWireshark captures and analyzes packets off the wire; it does not query public sources to harvest a domain's emails, names, and subdomains during open-source intelligence gathering.
• CNikto scans a web server for known vulnerabilities and misconfigurations; it is not designed to harvest emails, employee names, and subdomains from public OSINT sources.
• DThe Metasploit Framework is built to develop and launch exploits against vulnerable services; it does not harvest a domain's public emails, names, and subdomains during reconnaissance.

Shodan is a search engine for Internet-connected devices whose data is largely drawn from service banners, letting the tester query exposure and banners without scanning the client directly.

• BNessus actively scans targets for vulnerabilities, generating traffic against the client's hosts; it is not a pre-built public index of Internet-exposed devices and their service banners.
• CBurp Suite intercepts and manipulates a tester's own web traffic to a target application; it does not maintain a searchable index of Internet-wide device banners and exposure.
• DMetasploit is an exploitation framework for delivering and managing payloads; it is not a search engine that indexes Internet-connected devices and their service banners.

The -sn option tells Nmap not to do a port scan after host discovery and to only print the available hosts that responded, which is the host-only ping sweep requested.

• AThe -sV option probes open ports to determine service and version information, which requires a port scan; the tester wants only live-host discovery without scanning ports yet.
• BThe -Pn option tells Nmap to treat all hosts as online and skip host discovery, then port-scan them all, which is the opposite of doing only a host-discovery sweep.
• DThe -O option enables operating-system detection through TCP/IP fingerprinting, which depends on scanning ports; it does not limit the run to discovering which hosts are alive.

The -sV option probes open ports to determine service and version information, reporting the application and version behind each port, which is exactly what the tester requested.

• BThe -sn option performs host discovery only and disables the port scan, so it cannot identify the application or version listening behind any open port.
• CThe -sS SYN scan determines whether ports are open, closed, or filtered, but on its own it does not probe services to reveal the application name and version.
• DThe -Pn option only tells Nmap to skip host discovery and treat hosts as online; it does nothing to fingerprint the service software or version on the open ports.

The -O option enables operating-system detection, which Nmap performs through TCP/IP fingerprinting to identify the remote host's OS or device, matching the tester's goal.

• AThe -sV option identifies the service and version listening on open ports; it reports application software, not the host operating system inferred from TCP/IP stack behavior.
• BThe -sC option runs the default set of NSE scripts against the target; it is not the dedicated operating-system detection feature based on TCP/IP fingerprinting.
• CThe -F option enables fast mode by scanning fewer ports than the default; it changes which ports are scanned, not whether the operating system is fingerprinted.

A DNS zone transfer uses query type AXFR to collect all records from a misconfigured name server, returning the full list of entries including non-obvious subdomains.

• AA reverse IP lookup uses PTR records to map an address back to a single host name; it does not pull the entire set of records for a domain at once.
• CAn MX lookup returns only the mail-exchange records for a domain; it cannot dump every record and subdomain the way an AXFR zone transfer does against a permissive server.
• DA WHOIS query returns registration and contact data from the registry, not the domain's live DNS records, so it would not enumerate the subdomains contained in a zone.

Requesting many candidate paths from a wordlist to uncover non-obvious directories and files is dictionary-style directory enumeration, the standard way to surface unlinked admin interfaces.

• APassive DNS harvesting collects records from third-party data sets without contacting the server; the scenario actively requests many guessed paths, so it is not a passive technique.
• BVirtual host discovery finds different sites sharing one IP by varying the HTTP Host header; the tester here is guessing URL paths on one site, not enumerating host names.
• DAnalyzing a server's TLS certificate reveals names and issuer details, but it does not brute-force URL paths to discover hidden directories and files on the web server.

Listing the folders and drives a host shares over the SMB protocol is network share enumeration, identifying shared resources that may hold useful data or footholds for access.

• BAccount enumeration produces a list of valid usernames or accounts on the system; smbclient -L lists shared folders and drives, not the user accounts on the host.
• CService version detection probes open ports to identify the software and version behind them; listing SMB shares reports shared resources, not the version of a listening service.
• DOS fingerprinting infers the operating system from TCP/IP stack responses; enumerating shared folders over SMB tells you about shares, not the host's operating-system identity.

Obtaining a listing of valid usernames or accounts is account enumeration, which helps determine which accounts exist so they can be targeted by later brute-force password guessing.

• ANetwork share enumeration lists the shared folders and drives a host exposes over SMB; RID cycling to recover valid usernames is account enumeration, which targets user accounts instead.
• CBanner grabbing connects to a service to read its identifying banner and version; RID cycling instead translates security identifiers into the valid user names on the host.
• DA zone transfer pulls DNS records from a name server; it has nothing to do with cycling relative identifiers on an SMB host to enumerate its valid user accounts.

A single IP can serve multiple sites via virtual hosts selected by the HTTP Host header, so enumerating the host names resolving to that address is virtual host enumeration.

• AService version detection determines which software and version listen on a port; it does not enumerate the multiple host names that a single web server serves different content for.
• BAccount enumeration recovers valid usernames on a system; the tester is discovering name-based sites behind one IP address, which concerns host names rather than user accounts.
• COS fingerprinting infers the operating system from network responses; it cannot reveal the several symbolic host names mapped to one address that select different virtual sites.

Maltego is an OSINT and forensics platform whose graph is built for complex, large-scale link analysis, visually mapping relationships among entities such as people, domains, and addresses.

• ANmap is a network exploration and port-scanning utility; it discovers hosts and services but does not build visual link-analysis graphs of relationships among OSINT entities.
• BHashcat recovers passwords from captured hashes through offline cracking; it has no capability to graph relationships among people, domains, and other intelligence entities.
• Dtcpdump captures and displays packets crossing an interface; it records network traffic but does not correlate or visually link OSINT entities into a relationship graph.

Recon-ng is a full-featured, completely modular web reconnaissance framework written in Python with a Metasploit-like look and feel, using independent modules and a database for OSINT.

• BtheHarvester is a focused OSINT collector that harvests emails and subdomains from public sources; it is not a modular, Metasploit-style framework with workspaces and set/run module commands.
• CAircrack-ng is a suite for auditing and cracking 802.11 wireless encryption; it is unrelated to a modular Python framework for web-based open-source reconnaissance.
• DNessus is a vulnerability scanner that actively tests hosts for known flaws; it is not a console-driven modular framework for conducting web-based OSINT with set and run commands.

Censys publishes continuously gathered Internet-wide scan data -- active hosts, open ports, and certificates -- and is used to find exposed infrastructure and certificate-derived subdomains without scanning the target.

• AJohn the Ripper cracks password hashes offline; it does not maintain or query an Internet-wide dataset of hosts, open ports, and certificates for exposed-asset discovery.
• BResponder poisons name-resolution traffic on a local network to capture credentials; it is not a searchable database of Internet-wide scan results and certificate data.
• CGobuster brute-forces directories, DNS subdomains, and virtual hosts against a specified target; it does not provide a pre-built index of Internet-wide hosts and certificates.

Wireshark's display filter language precisely controls which already-captured packets are displayed, narrowing the view while the complete capture stays intact in the file.

• AA capture filter decides which packets are written to the capture in the first place and is set before capturing; here the full capture is intact and only the view is narrowed.
• CA coloring rule highlights packets with colors based on criteria but still shows every packet; it does not restrict the display to only the matching http.request packets.
• DA decode-as rule tells Wireshark to dissect traffic on a port as a chosen protocol; it changes interpretation, not which captured packets are shown in the list.

The reply text a service returns on connection is its banner -- metadata about the running software and version -- so reading it to identify the product is banner grabbing.

• AA zone transfer retrieves DNS records from a name server; it does not connect to a service port and read the welcome text that reveals the product and version.
• BRID cycling enumerates valid Windows usernames by translating security identifiers; it does not read the identifying reply text a network service returns on connection.
• DPassive sniffing captures traffic without connecting to anything; the tester here actively opened a connection to the port and read its banner, which is not passive.

Python's socket module provides access to the BSD socket interface, returning socket objects whose methods implement the system calls used to open TCP connections for port testing.

• BThe hashlib module implements cryptographic hash functions such as SHA-256; it offers no networking primitives for opening TCP connections to test whether ports are open.
• CThe argparse module parses command-line arguments for a script; it structures user input but provides nothing for creating TCP connections to probe a host's ports.
• DThe csv module reads and writes comma-separated value files; it cannot open network connections, so it is useless for testing whether a host's TCP ports are open.

The Resolve-DnsName cmdlet performs a DNS query for a specified name and record type, functioning much like nslookup, which is exactly the DNS enumeration the script needs.

• ATest-NetConnection runs ping and TCP-port reachability diagnostics; it is not the cmdlet whose purpose is performing DNS record queries such as MX and NS like nslookup.
• BInvoke-WebRequest sends HTTP requests and retrieves web content; it does not issue DNS queries for record types such as MX and NS the way the script requires.
• CGet-NetTCPConnection lists the local machine's existing TCP connections; it neither queries DNS nor returns the MX and NS records for a remote domain.

Test-NetConnection displays connection diagnostics and supports a TCP test; its -Port parameter specifies the TCP port used to test connectivity to the remote computer, confirming port 445 reachability.

• AResolve-DnsName performs DNS name queries and returns records; it does not open a TCP connection to a specified port to confirm whether that port is reachable.
• CGet-Process lists processes running on the local machine; it has no networking function and cannot test whether a TCP port is reachable on a remote host.
• DStart-BitsTransfer downloads or uploads files using the BITS service; it is not a diagnostic for testing whether a specific TCP port on a remote host is open.

Nmap Scripting Engine scripts are written in Lua and are supplied to the --script option as files, directories, or categories, so a custom Lua script extends Nmap's enumeration.

• ANmap does run scripts via --script, but the Nmap Scripting Engine executes Lua scripts, not Python, so a custom Python file would not be a valid NSE script.
• BThe -sC flag runs the default NSE scripts, but those scripts are Lua, not Bash; a Bash file is not a valid script for the Nmap Scripting Engine to execute.
• DThe -O option enables OS detection, not script execution, and NSE scripts are written in Lua rather than Ruby, so neither part of this choice is correct.

A Bash for loop expands a list of words and executes its commands once for each word, so iterating the host numbers to ping every address in the range is a for loop.

• AAn if conditional chooses whether to run a block based on a test; it executes a branch a single time and does not iterate a command across every address in the range.
• BA case statement selects one branch by matching a value against patterns; it does not repeat a ping command across each host number from 1 to 254.
• CA function definition packages commands for later reuse under a name; by itself it does not iterate over the address list to ping each host in the range.