A company's IT department has announced that its internal payroll and inventory applications are being re-architected as independent microservices. During external OSINT reconnaissance, which technique would most likely uncover previously unknown endpoints that host those microservices so you can plan deeper enumeration?
Social-engineer access to internal container logs
Perform password-spray attacks against the corporate VPN
Enumerate DNS records and certificate-transparency logs for subdomains
Search leaked credential dumps for reused passwords
Querying public DNS records and certificate-transparency logs often reveals overlooked or newly created subdomains that point directly to individual microservice endpoints running behind the main domain, giving testers fresh targets for enumeration. Leaked-credential searches might help with password attacks but rarely expose hostnames. Brute-forcing logins or attempting to read restricted logs focuses on authentication or privileged access rather than discovering where the microservices reside.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are domain records, and why are they useful for reconnaissance?
Open an interactive chat with Bash
What are subdomains, and how can they help uncover information about a network?
Open an interactive chat with Bash
How does inspecting domain records compare to other methods like brute force or using compromised credentials?