a. Foot-printing, Enumeration, System Hacking, Covering Tracks, Planting Backdoors
2. In order to exploit or attack the targeted systems, what can you do as an initial first step to collect as much information as possible about the targets prior to devising an attack and penetration test plan?
a. Foot-printing can be done as an initial first step to acquire as much information as possible on the victim’s system.
3. What applications and tools can be used to perform this initial reconnaissance and probing step?
a. To perform the initial reconnaissance and probing step, you can examine a companies’ website, identify their key employees, and figure out which technologies and software the company may be using. Spiderfoot is an example of a foot-printing application that can be used.
4. How can social engineering be used to gather information or data about the organization’s IT infrastructure?
a. Social engineering can be used to gather information or data about the organization’s IT infrastructure by vocally pretending to be someone they aren’t, like a system admin, to obtain information of the network. While pretending they are someone else they may watch you login to gain access to your credentials. …show more content…
The NIST publication 800-42 describes penetration and security testing.
10. According to the NIST document, what are the four phases of penetration testing?
a. The four phases of a penetration test are Planning, Discovery, Attack, and Reporting.
11. Why would an organization want to conduct an internal penetration test?
a. An organization would want to conduct an internal penetration test to get a better understanding of their network from an outsider, and to make sure that their internal system is strong and secure.
12. What constitutes a situation in which a penetration tester should not compromise or access a system as part of a controlled penetration test?
a. A penetration tester should not compromise a system that is performing a backup, that is migrating or one that may be under attack.
13. Why would an organization hire an outside consulting firm to perform an intrusive penetration test without the IT department’s knowledge?
a. An organization would hire an outside consulting firm to perform an intrusive penetration test without IT department’s knowledge to get a better understanding of their network from an outsiders point of view, and to make sure their IT department is doing their job properly to protect the organizations