A company hires a consulting firm to crawl its Active Directory network with a non-domain account looking for unpatched systems. Actively taking control of systems is out of scope, as is the creation of new administrator accounts. For which of the following is the company hiring the consulting firm?
A.
Vulnerability scanning
B.
Penetration testing
C.
Application fuzzing
D.
User permission auditing
I think A is the correct answer. They’re just looking for unpatched systems and they also said “Actively taking control of systems is out of scope”. Looks like it’s more of a passive scan than an active lets-actually-hack-this-motherfucker scan that would be used in penetration testing.
6
0
I agree, definitely A. A penetration test is specifically called an “Active” scan.
3
0
I believe pinging and banner grabbing are considered active vulnerability scans. It crosses into pen testing when you take that information and change something on the system, or at least put yourself in a position to change something.
2
0
A seems correct. B certainly is not.
2
0
Yeah, You’d need to be missing a chromosome or two to pick B
3
1
My instructor gave us this question and answered it B. 2 tasks are listed “out of scope.” I would assume that leaves other tasks in scope (create a user account!?). Would you even have a scope for vulnerability scanning?
I answered A and didn’t like his answer. Now I have to wonder.
0
0