PT0-003 Question #135: Real Exam Question with Answer & Explanation

Question

SIMULATION A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets. INSTRUCTIONS Select the appropriate answer(s) after viewing the terminal output in each of the three tabs. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Output 1 Answer: Terminal 1 - Identifying the Tool Used and Selecting the Appropriate Command The terminal 1 output shows: Email addresses and subdomains associated with the public domain. The tool is searching Google and other sources. The tool used in Terminal 1 was theHarvester, which is an OSINT tool for gathering emails, subdomains, hosts, and IPs related to a given domain. To produce the output seen in the image, the correct command is: theHarvester -d someclouddomain.org -b google specifies the domain to enumerate. -d someclouddomain.org -b google tells theHarvester to use Google as the search engine for gathering OSINT information. The output includes email addresses and subdomains, which matches theHarvester's standard output. Terminal 2 - Selecting the Commands for nslookup and dig The terminal 2 output contains: Results of nslookup and dig queries. The responses contain IP addresses for the target domain. dig @8.8.8.8 +noall +answer queries Google's public DNS (8.8.8.8) and returns only the relevant A records. explicitly tells to resolve the domain nslookup someclouddomain.org 8.8.8.8 nslookup using Google's public DNS. Terminal 3 - Domain Information Selection From terminal 3, the whois output provides: IP range assigned to Amazon AWS. The domain is registered through LocalComputerPro's, Inc.. The domain was created on September 22, 1993 (1993-09-22T04:00:38Z).

Options

• taskA penetration tester must enumerate additional information for public-facing assets given only the public domain name, by correctly identifying the enumeration tool and its command based on provided terminal output.
• prerequisites

Explanation

theHarvester is the correct tool because it is specifically designed for passive OSINT reconnaissance, gathering emails, subdomains, hosts, and IP addresses from public sources like Google, Bing, and Shodan using a simple syntax of '-d' for domain and '-b' for the data source backend. The command 'theHarvester -d someclouddomain.org -b google' is correct because '-d' specifies the target domain and '-b google' instructs the tool to query Google as the search engine source, which matches the terminal output showing email addresses and subdomains discovered via Google searches. Other tools like nmap, dig, or whois would not produce this combined email/subdomain harvesting output from search engine queries, and incorrect flag combinations (e.g., missing '-b' or using '-s' instead of '-d') would result in syntax errors or different behavior.

No community discussion yet for this question.