GIAC Penetration Tester (GPEN) — Question 72

You are conducting a penetration test for a private company located in the UK. The scope extends to all internal and external hosts controlled by the company.
You have gathered necessary hold-harmless and non-disclosure agreements. Which action by your group can incur criminal liability under the computer Misuse
Act of 1990?

Answer options

• A. Sending crafted packets to internal hosts in an attempt to fingerprint the operatingsystems
• B. Recovering the SAM database of the domain server and attempting to crackpasswords
• C. Installing a password sniffing program on an employee's personal computer withoutconsent
• D. Scanning open ports on internal user workstations and exploiting vulnerableapplications

Correct answer: B

Explanation

The correct answer is B because accessing and attempting to crack passwords from the SAM database involves unauthorized access to sensitive information, which is a clear violation of the Computer Misuse Act. Options A, C, and D involve activities that, while potentially unethical, do not necessarily constitute criminal liability under the Act as they may fall within the scope of authorized testing with the right consent.