A penetration tester is performing passive reconnaissance on a target organization and wants to gather information about various subdomains without directly interacting with the organization's name server. Which of the following methods would be the BEST to accomplish this task?
Use a third-party service to obtain DNS records
Deploy an outdated version of a DNS analysis tool in hopes it may bypass notice
Analyze web traffic between the organization and public web services to find DNS-related data
Perform speculative execution of domain names to reveal subdomains
The correct answer is 'Use a third-party service to obtain DNS records'. This method allows the penetration tester to gather information about the organization's subdomains without interacting with the target's name servers and potentially revealing their intentions. The third party has likely already collected this data, so the activity is less likely to be traced back to the penetration tester when compared to more direct methods such as querying the organization's name servers. Using an outdated DNS tool might not provide current information. Speculative execution of domain names is not a practical method for DNS enumeration, as it wouldn't necessarily provide accurate results since not every permutation of a domain name is valid or in use. Analyzing web traffic requires direct interaction and is an active reconnaissance technique.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of third-party services that can be used to obtain DNS records?
Open an interactive chat with Bash
Can you explain what passive reconnaissance involves and how it differs from active reconnaissance?
Open an interactive chat with Bash
Why is it important to avoid interacting with the organization's name server during reconnaissance?