CompTIA PenTest+ PT0-003: Reconnaissance and Enumeration

Topic snapshot

Sample questions

These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: Reconnaissance and Enumeration

A penetration tester is planning reconnaissance for an authorized external assessment. Based on the rules-of-engagement excerpt, which reconnaissance approach should the tester select next?

Exhibit: Rules-of-engagement excerpt

Scope: 203.0.113.0/28 and app.example.com
Allowed: ICMP probes, TCP/UDP service discovery, banner collection
Allowed window: 22:00-04:00 UTC
Not allowed: exploit attempts, credential attacks, denial-of-service testing
Goal: identify live hosts and exposed services

Options:

• A. Limit reconnaissance to passive OSINT sources only

• B. Run credential attacks against exposed login portals

• C. Attempt exploitation of discovered network services

• D. Perform active service discovery against the scoped targets

Best answer: D

Explanation: Active reconnaissance is appropriate when the rules of engagement authorize direct interaction with scoped targets. The exhibit permits ICMP probes, TCP/UDP service discovery, and banner collection during a defined window, and the stated goal is to identify live hosts and exposed services. That combination supports active service discovery rather than passive-only research. The tester must still remain within the target range, timing window, and allowed techniques. Exploitation, denial-of-service activity, and credential attacks are outside the provided authorization.

• Passive-only research is unnecessarily restrictive because the ROE permits direct probing of scoped systems.
• Service exploitation exceeds the authorization because exploit attempts are specifically prohibited.
• Credential attacks are not allowed under the ROE, even if login portals are discovered.

Question 2

Topic: Reconnaissance and Enumeration

A penetration tester is reviewing a helper script for an authorized external enumeration task. The rules of engagement allow passive OSINT and noninvasive requests to approved company-owned hosts only. The report must include reproducible evidence of exposed services, but credential attacks, exploit attempts, and third-party targets are out of scope.

Which script behavior best supports the requirement?

Options:

• A. Record status codes, headers, titles, and timestamps for approved hosts

• B. Test common default passwords on discovered login pages

• C. Submit traversal strings to verify exposed file access

• D. Follow all external links to map partner-hosted assets

Best answer: A

Explanation: Safe reconnaissance scripts should support evidence collection while staying within authorization. In this scenario, the script may make noninvasive requests only to approved company-owned hosts, so collecting response metadata such as status codes, headers, page titles, and timestamps is appropriate. That information helps document exposed services and makes findings reproducible without attempting authentication, exploitation, or expanding the target set. The deciding factor is not whether the behavior might find more issues; it is whether the behavior satisfies the evidence requirement while honoring the rules of engagement.

• Default passwords would become an authentication attack, which the rules explicitly exclude.
• External links may identify interesting assets, but testing partner-hosted systems expands beyond approved company-owned hosts.
• Traversal strings are active vulnerability validation attempts, not noninvasive enumeration evidence collection.

Question 3

Topic: Reconnaissance and Enumeration

During passive OSINT for an external assessment, a tester finds a public Git repository named northwind-mobile that uses the client’s logo, contains commits from @northwind.example email addresses, and references a SaaS tenant northwind-dev.example-saas.com. The rules of engagement list only www.northwind.example and two cloud account IDs as authorized targets. Unknown assets require written approval before active testing. What is the best next approach?

Options:

• A. Document the indicators and request scope clarification

• B. Actively enumerate the SaaS tenant for exposed users

• C. Scan the repository history for secrets immediately

• D. Add the SaaS tenant to the vulnerability scan

Best answer: A

Explanation: Shadow IT leads discovered during OSINT should be treated as potential assets, not automatically authorized targets. In this scenario, branding, employee email commits, and SaaS references create a reasonable ownership correlation, but the rules of engagement explicitly limit authorized targets and require written approval for unknown assets. The tester should preserve evidence, document why the asset may belong to the client, and ask the engagement contact to confirm ownership and scope before performing active enumeration, scanning, or content review. The key distinction is correlation versus authorization: OSINT can identify leads, but it does not expand testing scope by itself.

• Tenant enumeration creates active interaction with an unapproved SaaS target and violates the written approval requirement.
• Repository history review may expose sensitive data from an asset not yet confirmed as in scope.
• Automatic scan expansion treats ownership indicators as authorization, which the rules of engagement do not allow.

Question 4

Topic: Reconnaissance and Enumeration

A penetration tester is preparing for an external assessment of a company that is finalizing legal approval. The signed pre-engagement documents allow planning and public-source research, but they do not yet authorize traffic to company-owned IP ranges or login attempts against hosted services. The client wants early insight into exposed assets with minimal operational risk. Which approach should the tester use first?

Options:

• A. Attempt password spraying against public login portals

• B. Launch an unauthenticated vulnerability scan

• C. Perform passive OSINT from public sources

• D. Run a full TCP port scan against discovered ranges

Best answer: C

Explanation: Passive reconnaissance is the best first step when authorization is limited or operational risk must remain low. In this scenario, the tester is allowed to perform planning and public-source research, but is not yet authorized to send traffic to client IP ranges or test hosted services. Public records, search engine results, certificate transparency logs, job postings, code repositories, and other OSINT sources can identify likely domains, technologies, subsidiaries, and exposed assets without touching the client’s infrastructure. Once explicit authorization is granted, active enumeration and validation can follow within the rules of engagement. The key distinction is whether the activity interacts with target systems; here, non-intrusive collection is required first.

• Port scanning directly contacts target IP addresses, which exceeds the current authorization.
• Password spraying creates authentication and account-lockout risk and is not permitted by the stated scope.
• Unauthenticated scanning still sends assessment traffic to target services and should wait for explicit approval.

Question 5

Topic: Reconnaissance and Enumeration

A penetration tester is reviewing discovery results for an in-scope building-management subnet. The rules of engagement allow non-disruptive enumeration but require client approval before testing safety or environmental controls.

Exhibit: Scan summary

Which interpretation best affects the next testing action?

Options:

• A. Treat both systems as ordinary Linux servers because they use TCP services

• B. Attempt Modbus write operations to validate control impact

• C. Run a standard authenticated web application scan against both hosts

• D. Use protocol-aware, read-only checks and seek approval before deeper testing

Best answer: D

Explanation: IoT and embedded-device discovery clues change both risk and testing approach. The Boa web server, Modbus on TCP 502, Schneider Electric OUI, and HVAC Controller title strongly suggest an embedded building-control device. Such devices may have fragile services, safety or environmental impact, and protocols that support state-changing operations. The safer next step is to use protocol-aware, read-only validation and coordinate any deeper testing with the client under the rules of engagement. The MQTT gateway is also an IoT clue, but the HVAC controller creates the clearest operational caution because Modbus and control-system context can affect physical operations.

• Standard web scanning may be too aggressive for embedded services and ignores the ROE approval requirement for environmental controls.
• Modbus writes are potentially state-changing and inappropriate without explicit authorization.
• Ordinary server assumption misses multiple IoT/embedded clues, including vendor OUI, service banner, protocol, and page title.

Question 6

Topic: Reconnaissance and Enumeration

A penetration tester found an unreviewed OSINT enumeration script in a public repository. The script claims to discover subdomains and probe discovered hosts. The rules of engagement allow passive recon against the client’s domains, but active testing is limited to a short maintenance window and only against listed IP ranges. Some discovered hosts may belong to third-party SaaS providers. What is the BEST professional decision?

Options:

• A. Review the script, test it in a lab, and get approval before use

• B. Run the script now because it performs reconnaissance only

• C. Modify the user agent and run it slowly to reduce visibility

• D. Run it only during the maintenance window against all discovered hosts

Best answer: A

Explanation: Unreviewed reconnaissance scripts can contain unsafe behavior, such as active probing, credential collection, unexpected API calls, or broad target expansion. In this scenario, the authorization allows passive recon broadly but restricts active testing to listed IP ranges and a maintenance window. Because the script probes discovered hosts and may reach third-party SaaS systems, using it without review could exceed scope and create business or legal risk. A professional tester should inspect what the script does, test it in a controlled environment, constrain target handling, and obtain explicit approval before using it on production or third-party-adjacent assets. The key takeaway is that tool convenience does not override scope, authorization, or target ownership uncertainty.

• Recon-only assumption fails because the script includes host probing, which may be active testing rather than passive OSINT.
• Maintenance-window-only use fails because timing does not authorize testing every discovered host, especially third-party targets.
• Reduced visibility fails because slowing or disguising traffic does not address authorization, review, or scope control.

Question 7

Topic: Reconnaissance and Enumeration

A penetration tester has four reconnaissance leads and only two hours left in the approved recon window. The rules of engagement allow active enumeration only for assets on the target list and prohibit authentication attempts or exploit validation during recon. The sponsor identified the customer portal and partner API as the most business-critical systems.

Which approach best prioritizes the next reconnaissance activity?

Options:

• A. Prioritize vpn.example.com by attempting common employee passwords.

• B. Prioritize cdn.example.com because passive review has the lowest testing risk.

• C. Prioritize portal.example.com for safe unauthenticated web enumeration.

• D. Prioritize old-crm.acquiredco.com because exposed RDP is highest risk.

Best answer: C

Explanation: Reconnaissance leads should be prioritized by combining exposure, business relevance, and permitted testing depth. portal.example.com is internet-facing, tied to a business-critical customer function, and explicitly allows safe unauthenticated web enumeration. That makes it the best use of the remaining recon window because the tester can gather meaningful evidence without exceeding authorization. A technically risky lead is not automatically the top priority if ownership or approval is missing. Likewise, low-risk passive review may be appropriate, but it provides less value when a critical in-scope asset allows deeper validation. The key is to maximize useful, authorized evidence rather than chase the most alarming-looking lead.

• Unapproved acquisition asset fails because pending approval means active testing would exceed the current rules of engagement.
• Passive CDN review is authorized but lower value than an allowed active check against a critical customer-facing system.
• VPN password attempts violate the stated prohibition on authentication attempts during reconnaissance.

Question 8

Topic: Reconnaissance and Enumeration

A penetration tester is planning reconnaissance for a cloud-hosted web application engagement. The authorization letter permits external reconnaissance only during the first week and lists app.example.com, public DNS records, and public cloud-hosted endpoints as in scope. An internal asset inventory provided by the client also lists private API hosts that are reachable only over VPN, but VPN access has not been authorized yet. What is the BEST reconnaissance path?

Options:

• A. Probe RFC 1918 addresses discovered in documentation

• B. Enumerate public DNS and internet-facing cloud endpoints

• C. Ask the client to remove internal-only assets from inventory

• D. Connect to the VPN and scan the private API hosts

Best answer: B

Explanation: External reconnaissance should focus on assets that are reachable from the internet and explicitly authorized, such as public DNS records, public web endpoints, exposed APIs, and cloud services with public interfaces. Internal-only systems, including private RFC 1918 hosts or VPN-restricted APIs, may be relevant later, but they require separate authorization and access rules. In this scenario, the tester has enough approved external targets to begin without touching the internal inventory. The key decision is to separate evidence about possible assets from permission to test them. Inventory entries can guide questions for later scoping, but they do not automatically expand the allowed reconnaissance path.

• VPN scanning exceeds the first-week authorization because VPN access and internal testing have not been approved.
• Private address probing confuses documentation evidence with internet exposure and would target internal-only space.
• Changing inventory is unnecessary because internal assets can remain documented for later scope clarification.

Question 9

Topic: Reconnaissance and Enumeration

A penetration test is entering reconnaissance for a client-owned external IP range. The rules of engagement authorize direct probing during a defined testing window but prohibit exploitation and credential attacks. The client wants evidence of which hosts are alive and what network services respond before vulnerability testing begins. Which approach best fits these requirements?

Options:

• A. Run exploit modules against discovered services

• B. Perform active host discovery and service enumeration

• C. Limit collection to passive OSINT sources

• D. Request internal asset inventory only

Best answer: B

Explanation: Active reconnaissance is appropriate when the rules of engagement explicitly allow direct interaction with in-scope targets and the goal is to observe live behavior. In this scenario, the tester is authorized to probe the client-owned IP range during a testing window, and the requested evidence is live hosts and responding services. Active host discovery, port scanning, and safe service enumeration fit that need while staying short of exploitation or credential attacks. Passive OSINT may be useful earlier, but it cannot reliably confirm current service behavior on the target network.

• Passive-only collection misses the requirement to confirm live hosts and responsive services through direct observation.
• Exploit modules exceed the stated prohibition on exploitation and introduce unauthorized risk.
• Asset inventory only may help planning, but it does not independently validate live network exposure.

Question 10

Topic: Reconnaissance and Enumeration

During an authorized external recon phase, a tester is asked to identify only in-scope internet-facing assets for a same-day scan window. The rules of engagement list example.com and any customer-owned cloud assets, but require written confirmation before testing newly discovered hosts. OSINT findings include an active DNS A record for portal.example.com, a 3-year-old code comment mentioning dev-old.example.net, and a Shodan result for an IP address with no current DNS or ownership evidence. What is the BEST professional decision?

Options:

• A. Prioritize the Shodan IP because it may reveal shadow IT

• B. Exclude portal.example.com until the old code comment is validated

• C. Scan only portal.example.com and flag the other leads for confirmation

• D. Scan all three leads because each appeared in public sources

Best answer: C

Explanation: High-confidence OSINT evidence is current, directly tied to the authorized target, and independently useful for scope decisions. An active DNS record under the authorized domain is strong evidence for target selection, but the rules still limit newly discovered hosts to confirmed scope where required. A 3-year-old code comment is stale and may refer to retired or renamed infrastructure. A Shodan result without current DNS, registration, or stakeholder ownership evidence is an indirect lead, not enough to justify testing. The professional approach is to proceed only with evidence that clearly fits scope and document uncertain leads for confirmation.

• Public-source overreach fails because appearing in OSINT does not prove authorization or current ownership.
• Stale-lead dependency fails because an old code comment should not block a current, directly related DNS finding.
• Shadow IT assumption fails because potential shadow IT must be correlated and confirmed before active testing.

Continue with full practice

Use the CompTIA PenTest+ PT0-003 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA PenTest+ PT0-003 on Web View CompTIA PenTest+ PT0-003 Practice Test

Related focused pages

• Free CompTIA PenTest+ PT0-003 Full-Length Practice Exam
• Engagement Management
• Vulnerability Discovery and Analysis
• Attacks and Exploits
• Post-Exploitation and Lateral Movement

Free review resource

Read the CompTIA PenTest+ PT0-003 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.