CompTIA PenTest+ (PT0-003) — Question 61

A penetration tester completed OSINT work and needs to identify common subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Answer options

• A. nslookup mydomain.com >> /path/to/results.txt
• B. crunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com
• C. dig @8.8.8.8 mydomain.com any >> /path/to/results.txt
• D. cat wordlist.txt | xargs -n 1 -I 'X' host X.mydomain.com

Correct answer: D

Explanation

The correct answer, D, utilizes a wordlist to systematically check for subdomains using the host command, which is effective for identifying multiple subdomains. Option A simply queries the main domain without subdomain discovery, while B uses nslookup in a less efficient manner, and C queries DNS records but does not focus on subdomain enumeration.