When conducting a penetration test of an organization’s internal network, which of the following
approaches would BEST enable the conductor of the test to remain undetected on the network?
Use the IP address of an existing file server or domain controller.
Pause the scanning every few minutes to allow thresholds to reset.
Conduct the scans during evening hours when no one is logged-in.
Use multiple scanning tools since each tool has different characteristics.
Pausing the scanning every few minutes avoids overtaxing the network as well as exceeding
thresholds that may trigger alert messages to the network administrator. Using the IP address of a
server would result in an address contention that would attract attention. Conducting scans after
hours would increase the chance of detection, since there would be less traffic to conceal ones
activities. Using different tools could increase the likelihood that one of them would be detected by
an intrusion detection system.