An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?
Search engines index subdomains.
Why this answer
The `site:` operator in search engines (e.g., Google) allows an ethical hacker to enumerate publicly indexed subdomains of a target domain by querying `site:*.targetdomain.com`. This technique leverages the search engine's crawl data to discover subdomains that are publicly accessible but may not be linked from the main site, making it the most effective method for passive, public-information-only reconnaissance.
Exam trap
EC-Council often tests the misconception that WHOIS records contain subdomain information, but WHOIS only holds domain registration data, not DNS resource records like A or CNAME entries for subdomains.
How to eliminate wrong answers
Option A is wrong because traceroute (using ICMP or UDP probes) reveals the network path and intermediate routers, not subdomains; it operates at Layer 3 and does not query DNS records or web indexes. Option B is wrong because WHOIS records contain registration details (registrant, name servers, dates) but do not list subdomains; they are used for domain ownership and administrative information, not DNS enumeration. Option D is wrong because reverse DNS lookup (PTR records) maps IP addresses to hostnames, but it requires knowing the target IP range and only reveals hostnames that have PTR records configured, which is not a reliable method for discovering all subdomains from public information alone.