Free CEH Reconnaissance Techniques Practice Test 2026 — 312-50 v13 Questions

This free CEH Reconnaissance Techniques practice test covers footprinting, OSINT, network scanning with Nmap, banner grabbing, OS fingerprinting, and SMB/SNMP/LDAP/DNS enumeration. Each question includes a detailed explanation with realistic pentest context — perfect for CEH 312-50 v13 exam prep.

Key Topics in CEH Reconnaissance Techniques

6 Free CEH Reconnaissance Techniques Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius CEH 312-50 v13 question bank for the Reconnaissance Techniques domain (21% of the exam).

Sample Question 1 — Scanning Networks

During a network penetration test, you discover an open port on a target server. To identify the service running on this port, which tool would you use effectively without causing service disruption?

  1. A. Use Nmap with version detection. (Correct answer)
  2. B. Use Metasploit's auxiliary modules aggressively.
  3. C. Perform a brute force attack on the port.
  4. D. Use Wireshark to capture packets passively.

Correct answer: A

Explanation: Using Nmap with version detection (-sV) is the best choice as it safely identifies services on open ports without causing service disruption. Metasploit can be too aggressive and intrusive for initial identification, a brute force attack is inappropriate and unethical at this stage, and Wireshark is not used for identifying services on ports.

Sample Question 2 — Scanning Networks

Your client has requested a security assessment of their enterprise network. During the scanning phase, you find numerous hosts with outdated operating systems. What should be your primary concern when scanning these hosts?

  1. A. Ensuring scan types are non-intrusive to avoid crashing services. (Correct answer)
  2. B. Focusing on port scanning to map out the network topology.
  3. C. Using aggressive scanning techniques to find all vulnerabilities.
  4. D. Ignoring these hosts as they are outdated and might not be relevant.

Correct answer: A

Explanation: Using non-intrusive scan types is crucial, especially with outdated systems, to prevent potential downtime. While port scanning and vulnerability detection are important, the priority is to avoid service disruptions. Ignoring these hosts is a misstep as they could be critical to the network.

Sample Question 3 — Scanning Networks

You are tasked with performing a vulnerability assessment on a remote web server. What scanning technique would provide you with a comprehensive view of potential vulnerabilities without alerting the server's intrusion detection systems?

  1. A. Use a stealth scan via Nmap with the SYN scan option. (Correct answer)
  2. B. Deploy a full connect scan to ensure all ports and services are tested.
  3. C. Execute a loud scan using a vulnerability scanner like Nessus.
  4. D. Employ a non-intrusive scan using Nikto for web vulnerabilities.

Correct answer: A

Explanation: A stealth scan (SYN scan) is less likely to be detected by IDS systems compared to a full connect scan, making it suitable for a covert assessment. Nessus can be loud and easily detected, whereas Nikto is specific to web vulnerabilities and may not provide comprehensive results for all vulnerabilities.

Sample Question 4 — Scanning Networks

While conducting a network scan, you notice several systems with TCP/IP stack fingerprinting enabled. Which technique would you apply to gather information on these systems without triggering potential alarms?

  1. A. Utilize passive OS fingerprinting tools. (Correct answer)
  2. B. Perform an ACK scan using Nmap.
  3. C. Conduct a remote service enumeration aggressively.
  4. D. Run a UDP scan on all ports.

Correct answer: A

Explanation: Passive OS fingerprinting is the best approach as it involves observing traffic without sending additional packets, thus avoiding detection. An ACK scan, while stealthy, is not used for OS fingerprinting. Aggressive enumeration and a UDP scan are more intrusive and likely to be detected.

Sample Question 5 — Scanning Networks

During a detailed network scan, you are tasked with identifying any unauthorized devices on the LAN. Which tool or method would efficiently help you accomplish this without causing network disruptions?

  1. A. Run a network discovery scan using Nmap. (Correct answer)
  2. B. Deploy a rogue DHCP server to test device responses.
  3. C. Perform a network sweep on all subnets using a ping flood.
  4. D. Set up a honeypot to capture unauthorized device traffic.

Correct answer: A

Explanation: A network discovery scan with Nmap is effective for identifying connected devices without causing network disruptions. Rogue DHCP servers and ping floods can disrupt the network, and while honeypots capture unauthorized traffic, they do not directly identify devices.

Sample Question 6 — Scanning Networks

While analyzing a network during a penetration test, you need to enumerate open ports and services on a highly secure internal server. What technique ensures minimal detection while gathering necessary information?

  1. A. Use a fragmented packet scan to bypass firewalls.
  2. B. Conduct an ICMP Echo scan for service enumeration.
  3. C. Perform a slow and random timing scan with Nmap. (Correct answer)
  4. D. Initiate a complete OS fingerprinting scan using intense mode.

Correct answer: C

Explanation: A slow and random timing scan with Nmap reduces the chance of detection by IDS/IPS systems due to its low profile. Fragmented packet scans can be detected by modern firewalls, and ICMP Echo scans are not used for service enumeration. Intense mode can be too aggressive and likely to trigger alarms.

How to Study CEH Reconnaissance Techniques

Combine these CEH Reconnaissance Techniques practice questions with hands-on labs in a Kali Linux VM and on platforms like TryHackMe, HackTheBox, or the official CEH iLabs. The 312-50 v13 exam emphasizes practical attacker tradecraft, so always test commands and tools in a sandboxed environment — that hands-on muscle memory is what separates passing and failing scores.

About the CEH 312-50 v13 Exam

Other CEH 312-50 v13 Domains

Start the free CEH Reconnaissance Techniques practice test now | 10-question quick start | All CEH domains | CEH v13 Cheat Sheet