A tester has been contracted to perform a penetration test for a corporate client. The scope of the test is limited to end-user workstations and client programs only.
Which of die following actions is allowed in this test?
A tester has been contracted to perform a penetration test for a corporate client. The scope of the test is limited to end-user workstations and client programs only.
Which of die following actions is allowed in this test?
Since the scope of the penetration test is limited to end-user workstations and client programs, actions must focus on these elements. Sending a malicious PDF to a user and exploiting a vulnerable Reader version falls within this scope as it directly targets a client program used by an end-user. Other options like redirecting the internal gateway, performing a denial-of-service against the gateway, or attempting to crack the Domain Administrators password hash involve actions outside of the defined scope.
The correct answer is D. D is correct for the requirement of end-user workstations and client programs. But B deviates from the scope because it targets gateways.