Q: 10
[Information Gathering and Vulnerability Scanning]
A penetration tester completed OSINT work and needs to identify all subdomains for
mydomain.com. Which of the following is the best command for the tester to use?
Options
Discussion
Option D B is tempting but crunch won't give realistic subdomains, D's wordlist method is how it's done on exams.
D imo. You want a real subdomain wordlist for best coverage, so piping through xargs to dig each entry is standard in recon. B could work but crunch spits out random chars instead of meaningful names. Not 100 percent sure if exam writers would ever expect C, but D just matches actual pentest workflow more closely. Agree?
Wouldn't B only work if the question forbade bringing your own wordlist? Otherwise D is the classic brute approach.
Its D. Crunch is a trap here, real exams expect a legit wordlist for subdomain brute forcing.
D imo, had something like this in a mock and that's what they wanted.
D saw this exact question on my exam. It hits every subdomain using the wordlist.
C or D? I swear similar exam questions just want you to pick brute-force with a wordlist (D), but C looks tempting for wildcard queries. Not sure which Pentest+ wants here.
D , that's standard subdomain brute-forcing using a real wordlist with dig. B looks clever but crunch just produces random chars, not actual subdomain guesses you'd want. Pretty sure this is what Pentest+ expects, correct me if you see it differently.
A is wrong, D. nslookup by itself doesn't handle subdomain brute-force, but using dig with a real wordlist (like in D) actually finds those hidden subdomains. B is a gotcha since crunch won't produce useful subdomain names in practice. Seen this approach in other exam drills too, but open to any other takes.
That’s D. Uses a wordlist with dig, which is pretty much the standard subdomain brute force approach. Seems like what they want for Pentest+.
Be respectful. No spam.
