FlashGenius Logo FlashGenius
Login Sign Up

GPEN Practice Questions: Reconnaissance, Scanning & Host Discovery Domain

Published: September 12, 2025 | 20 min read

Test your GPEN knowledge with 10 practice questions from the Reconnaissance, Scanning & Host Discovery domain. Includes detailed explanations and answers.

GPEN Practice Questions

Master the Reconnaissance, Scanning & Host Discovery Domain

Test your knowledge in the Reconnaissance, Scanning & Host Discovery domain with these 10 practice questions. Each question is designed to help you prepare for the GPEN certification exam with detailed explanations to reinforce your learning.

Question 1

Which tool is best suited for mapping a network topology by analyzing traffic without sending packets?

A) Nmap

B) Wireshark

C) Netcat

D) Zmap

Show Answer & Explanation

Correct Answer: B

Explanation: Wireshark can analyze traffic and infer network topology without sending packets, unlike Nmap or Zmap, which actively send probes.

Question 2

During host discovery, which Nmap option helps avoid firewall detection?

A) -sT

B) -sS

C) -sN

D) -sU

Show Answer & Explanation

Correct Answer: B

Explanation: The -sS option initiates a SYN scan, which is less likely to be logged by firewalls compared to a full connect scan (-sT). The -sN option is a NULL scan, which is less effective for host discovery, and -sU is for UDP scans.

Question 3

You are performing passive reconnaissance on a target organization. Which of the following tools is most appropriate for gathering information without alerting the target?

A) Nmap

B) Wireshark

C) Google Dorking

D) Metasploit

Show Answer & Explanation

Correct Answer: C

Explanation: Google Dorking allows you to gather information using search engines without directly interacting with the target's network, minimizing detection risk.

Question 4

What is the primary advantage of using a TCP Connect scan over a SYN scan?

A) Faster execution

B) Stealthiness

C) No need for root privileges

D) Better OS fingerprinting

Show Answer & Explanation

Correct Answer: C

Explanation: TCP Connect scans do not require root privileges as they rely on the operating system's connection handling. SYN scans are faster and more stealthy but require elevated privileges.

Question 5

Which method is most suitable for discovering live hosts in a network without sending packets directly to the target?

A) Ping sweep

B) DNS zone transfer

C) ARP scan

D) NetFlow analysis

Show Answer & Explanation

Correct Answer: D

Explanation: NetFlow analysis allows monitoring of network traffic flows without direct interaction, unlike ping sweeps or ARP scans.

Question 6

Which technique can help identify the operating system of a remote host without direct interaction?

A) Banner grabbing

B) Passive OS fingerprinting

C) Active OS fingerprinting

D) Port knocking

Show Answer & Explanation

Correct Answer: B

Explanation: Passive OS fingerprinting analyzes traffic patterns and characteristics to infer the OS without interacting with the target. Banner grabbing and active fingerprinting require direct interaction, and port knocking is unrelated.

Question 7

Which tool is most appropriate for passive DNS reconnaissance?

A) Wireshark

B) theHarvester

C) Nmap

D) Metasploit

Show Answer & Explanation

Correct Answer: B

Explanation: theHarvester is designed for passive reconnaissance, including DNS enumeration. Wireshark is for packet analysis, Nmap for active scanning, and Metasploit for exploitation.

Question 8

Which OSINT technique is most effective for discovering employee email addresses?

A) Analyzing social media profiles

B) Using DNS enumeration

C) Conducting a port scan

D) Reviewing robots.txt files

Show Answer & Explanation

Correct Answer: A

Explanation: Social media profiles often contain personal information, including email addresses. DNS enumeration and port scanning do not typically reveal email addresses, and robots.txt files are for web crawlers.

Question 9

To determine the technology stack of a web application, which approach is least intrusive?

A) Analyzing HTTP headers

B) Performing directory brute force

C) Executing SQL injection

D) Running a vulnerability scanner

Show Answer & Explanation

Correct Answer: A

Explanation: Analyzing HTTP headers is a passive method that can reveal server and framework information without interacting with the application. Directory brute force, SQL injection, and vulnerability scanning are intrusive.

Question 10

Which technique is most suitable for mapping a network topology without sending packets?

A) Traceroute

B) SNMP Walk

C) NetFlow analysis

D) Packet Sniffing

Show Answer & Explanation

Correct Answer: D

Explanation: Packet sniffing can passively capture traffic to infer network topology. Traceroute and SNMP Walk are active methods, while NetFlow analysis requires access to flow data.

Ready to Accelerate Your GPEN Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all GPEN domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About GPEN Certification

The GPEN certification validates your expertise in reconnaissance, scanning & host discovery and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.