SIMULATION-A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.INSTRUCTIONS-Select the appropriate answer(s), given the output from each section.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_111_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_112_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_113_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_114_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_115_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Pentest+_PT0-003/page_116_img_1.jpg

Really like how direct this setup is!theharvester, dig/nslookup 8.8.8.8, amazon, LocalComputerPro's, 1993-09-22T04:00:38Z

Question 11 - Top CompTIA Pentest+ PT0-003 Real Exam Questions [Jan 2026 Update]

Q: 11

SIMULATION

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Your Answer

Correct Answer:

PART 1: THEHARVESTER ANALYSIS (IMAGE_8AC2B5.PNG)

CORRECT ANSWER (TOOL): THEHARVESTER
CORRECT ANSWER (COMMAND): THEHARVESTER -D SOMECLOUDDOMAIN.ORG -L 200 -B GOOGLE.COM

PART 2: DNS COMMAND ANALYSIS (IMAGE_8AC2AD.PNG)

CORRECT ANSWER:
$ DIG @8.8.8.8 +NOALL +ANSWER SOMECLOUDDOMAIN.ORG
> NSLOOKUP SOMECLOUDDOMAIN.ORG 8.8.8.8

PART 3: WHOIS DATA ANALYSIS (IMAGE_8AC28E.PNG)

WHERE IS THE DOMAIN BEING HOSTED?
CORRECT ANSWER: AMAZON
WHO REGISTERED THE DOMAIN?
CORRECT ANSWER: LOCALCOMPUTERPRO'S, INC.
WHEN WAS THE DOMAIN REGISTERED?
CORRECT ANSWER: 1993-09-22T04:00:38Z

Explanation

The output shown in the Output 3 tab is characteristic of TheHarvester, a tool used for open-source intelligence (OSINT) gathering. It enumerates emails, subdomains, hosts, and other information from public sources like search engines. The command theharvester -d someclouddomain.org -l 200 -b google.com correctly specifies the target domain (-d someclouddomain.org), limits the search to 200 results (-l 200), and uses Google as the data source (-b google.com), all of which align with the details presented in the output.

The scenario states that the local DNS server (192.168.20.66) lacks internet access, forcing the use of the public DNS server at 8.8.8.8.

The nslookup someclouddomain.org 8.8.8.8 command explicitly queries the correct public server, matching the nslookup output.
The dig @8.8.8.8 ... command is the only dig option that correctly directs the query to the functional public DNS server. The other dig options would fail as they either query the offline local server or the default server (which is the offline local server).

These answers are found by analyzing the whois information in the Output 1 tab.

Hosting: The whois query for the IP address 245.62.183.203 (an IP for the domain from Output 2) shows the owning organization is "Amazon.com, Inc.", indicating it's hosted on their infrastructure (e.g., AWS).
Registrar: The whois query for the domain someclouddomain.org explicitly lists the "Registrar: LocalComputerPro's, Inc."
Registration Date: The same domain whois report shows the "Creation Date: 1993-09-22T04:00:38Z".

References

Gondaliya, A., & P. S., J. (2022). Information Gathering for Penetration Testing Using Open Source Intelligence. In Advances in Intelligent Systems and Computing (pp. 57-67). Springer, Singapore. This paper discusses various OSINT tools, including TheHarvester, and their command structures for enumerating subdomains and email addresses (p. 61).

Mockapetris, P. (1987). RFC 1035: Domain Names - Implementation and Specification. Internet Engineering Task Force (IETF). This document is the foundational standard for the Domain Name System (DNS), outlining the query types and record structures that tools like dig and nslookup use to retrieve information. Section 4.1 describes query message formats. https://doi.org/10.17487/RFC1035

Daigle, L. (2004). RFC 3912: WHOIS Protocol Specification. Internet Engineering Task Force (IETF). This document specifies the WHOIS protocol used to query databases for information about domain names and IP address spaces, such as registrar, creation date, and contact information. Section 4 details the simple query/response nature of the protocol. https://doi.org/10.17487/RFC3912

Albitz, P., & Liu, C. (2006). DNS and BIND (5th ed.). O'Reilly Media. Chapter 12 provides a comprehensive guide to DNS diagnostics tools, including detailed usage and command-line options for nslookup and dig, such as specifying a target name server for a query (pp. 268-271).

PART 1: THEHARVESTER ANALYSIS (IMAGE_8AC2B5.PNG)

PART 2: DNS COMMAND ANALYSIS (IMAGE_8AC2AD.PNG)

PART 3: WHOIS DATA ANALYSIS (IMAGE_8AC28E.PNG)

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE