A penetration tester performs a vulnerability scan on a company ' s network and identifies a critical vulnerability related to an outdated version of a database server. What should the tester prioritize as the next step?
A.
Attempt to exploit the vulnerability using publicly available tools or exploits
B.
Conduct a brute-force attack on the database login page
C.
Ignore the vulnerability and move on to testing other systems
D.
Perform a denial-of-service (DoS) attack on the database server
CEH v13 details the standard penetration testing workflow, where confirmed critical vulnerabilities—especially those affecting core systems like database servers—should be prioritized for exploitation only after verification and when explicitly permitted by the rules of engagement. Exploiting a known vulnerability using vetted tools (e.g., Metasploit, CVE-specific exploits) provides evidence of real-world risk and validates the severity rating. Brute-forcing logins (Option B) is inefficient and often outside scope. Ignoring a critical vulnerability (Option C) violates CEH’s prioritization guidelines. A DoS attack (Option D) is never appropriate unless the engagement explicitly authorizes destructive testing, which is rare. CEH stresses that high-impact vulnerabilities should be exploited to demonstrate business risk, privilege escalation potential, data exposure, or lateral movement possibilities—making Option A fully aligned with CEH methodology.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit