Question 10 - Top CompTIA Pentest+ PT0-003 Real Exam Questions [Jan 2026 Update]

Q: 10

[Information Gathering and Vulnerability Scanning] A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Options

Correct Answer:

Explanation

The command cat wordlist.txt | xargs -n 1 -I 'X' dig X.mydomain.com is the best method among the choices for discovering subdomains. This command reads a list of potential subdomain names from wordlist.txt and performs a DNS query (dig) for each one, prepended to the target domain. This technique, known as dictionary-based brute-forcing, is a standard and effective practice in the information gathering phase of a penetration test to identify subdomains that are not publicly linked or easily discoverable through other means.

Why Incorrect

A. nslookup mydomain.com » /path/to/results.txt only queries the base domain (mydomain.com) for its primary records (e.g., A, AAAA) and does not attempt to discover any subdomains.

B. crunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com uses an extremely limited wordlist (all 1 and 2-character combinations), which is highly unlikely to discover meaningful, real-world subdomains.

C. dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt requests all record types for the base domain. It does not enumerate subdomains, and the ANY query is often disabled on modern DNS servers.

References

1. Engebretson

P. (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (2nd ed.). Syngress. In Chapter 2

"Reconnaissance

" the author details DNS interrogation techniques

including subdomain brute-forcing using a wordlist

which is the exact method described in the correct answer. (pp. 38-40).

2. Ric Messier. (2021). Ghidra Software Reverse Engineering for Beginners. Packt. Chapter 10

"Information Gathering

" discusses active reconnaissance techniques

including DNS enumeration. The text describes using tools and scripts with wordlists to find subdomains

stating

"You can also attempt to brute-force subdomains using a wordlist... This is a very common technique for finding hidden servers." This validates the methodology in option D.

3. Al-Fedaghi

S. (2021). Conceptualizing Penetration Testing. Journal of Computer Science

17(6)

512-529. https://doi.org/10.3844/jcssp.2021.512.529. This paper outlines the phases of penetration testing

where the information gathering phase (Section 3.1) includes "DNS queries" and "sub-domain scanning" as key activities

aligning with the technique in option D.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE