SANS 560 GPEN EXAM WITH QUESTIONS AND
WELL VERIFIED ANSWERS|| GUARANTEED
PASS|| ALREADY GRADED A+ || LATEST
VERSION 2025
What is the name of the special TGT created by an attacker after compromising
the AD KRBTGT account?
A. AD Ticket
B. Kerberos Ticket
C. Golden Ticket
D. Silver Ticket - ANSWER-C. Golden Ticket
What is the name of the file on the domain controller that contains the AD
database, including encrypted data such as usernames and password hashes?
A. adcreds.dit
B. ntds.dit
C. forest.dit
D. sysnt.dit - ANSWER-B. ntds.dit
What is Azure AD's main flow type for authentication?
A. Kerberos
,B. LDAP
C. NTLM
D. OpenID Connect - ANSWER-D. OpenID Connect
An Azure access token must be periodically refreshed. Where will the user send
the refresh token?
A. Azure Portal
B. Azure IdP
C. Azure AD
D. MSOL - ANSWER-C. Azure AD
After retrieving a .pfx certificate as part of the ESC1 attack, what tool can be
used to recover the NT hash from other accounts?
A. SharpRoast
B. Certipy
C. Seatbelt
D. SharpUp - ANSWER-B. Certipy
What is the technique that uses the hash form of a password to access the target
system directly, instead of cracking the password?
A. Hash dump
B. Pass-the-hash
C. Crack-the-hash
D. Hash attack - ANSWER-B. Pass-the-hash
,Which of the following Sysinternals tools can you use to first transfer a file
from one Windows computer to another, and then run it on the remote
computer?
A. PsExec
B. movefile
C. autoruns
D. logonsessions - ANSWER-A. PsExec
Within the Metasploit Framework, what type of modules are associated with
scanning for vulnerable systems and launching denial-of-service attacks?
A. Payloads
B. Encoders
C. Auxiliary
D. Modules - ANSWER-C. Auxiliary
What is the result of running the following command?C:\> net localgroup
administrators fred /del
A. Fred is deleted from the administrators group.
B. The fred account is deleted from the system.
C. Fred is deleted from the localgroup and administrators group.
D. The administrators group and fred group are deleted. - ANSWER-A. Fred is
deleted from the administrators group.
While using Empire in post-exploitation, a penetration tester wishes to perform
a simulated attempt to send data out from the environment to see if the client
Incident Response or blue teams identify it. In which category of Empire
modules should they look for this functionality?
, A. Exploitation
B. Fun
C. Lateral movement
D. Exfiltration - ANSWER-D. Exfiltration
A penetration tester has gained access to a Linux machine and would like to
collect information about machines with which the compromised machine is
currently communicating with. Which of the following commands will provide
this information?
A. nmap -sS <targetIP>
B. ss -t state established
C. ipconfig /all
D. hostname - ANSWER-B. ss -t state established
MSBuild accepts code in which format to execute inline tasks for bypassing
application control?
A. CSV
B. XML
C. JSON
D. TXT - ANSWER-B. XML
Which of the following is most commonly the primary access mechanism for
Linux systems?
WELL VERIFIED ANSWERS|| GUARANTEED
PASS|| ALREADY GRADED A+ || LATEST
VERSION 2025
What is the name of the special TGT created by an attacker after compromising
the AD KRBTGT account?
A. AD Ticket
B. Kerberos Ticket
C. Golden Ticket
D. Silver Ticket - ANSWER-C. Golden Ticket
What is the name of the file on the domain controller that contains the AD
database, including encrypted data such as usernames and password hashes?
A. adcreds.dit
B. ntds.dit
C. forest.dit
D. sysnt.dit - ANSWER-B. ntds.dit
What is Azure AD's main flow type for authentication?
A. Kerberos
,B. LDAP
C. NTLM
D. OpenID Connect - ANSWER-D. OpenID Connect
An Azure access token must be periodically refreshed. Where will the user send
the refresh token?
A. Azure Portal
B. Azure IdP
C. Azure AD
D. MSOL - ANSWER-C. Azure AD
After retrieving a .pfx certificate as part of the ESC1 attack, what tool can be
used to recover the NT hash from other accounts?
A. SharpRoast
B. Certipy
C. Seatbelt
D. SharpUp - ANSWER-B. Certipy
What is the technique that uses the hash form of a password to access the target
system directly, instead of cracking the password?
A. Hash dump
B. Pass-the-hash
C. Crack-the-hash
D. Hash attack - ANSWER-B. Pass-the-hash
,Which of the following Sysinternals tools can you use to first transfer a file
from one Windows computer to another, and then run it on the remote
computer?
A. PsExec
B. movefile
C. autoruns
D. logonsessions - ANSWER-A. PsExec
Within the Metasploit Framework, what type of modules are associated with
scanning for vulnerable systems and launching denial-of-service attacks?
A. Payloads
B. Encoders
C. Auxiliary
D. Modules - ANSWER-C. Auxiliary
What is the result of running the following command?C:\> net localgroup
administrators fred /del
A. Fred is deleted from the administrators group.
B. The fred account is deleted from the system.
C. Fred is deleted from the localgroup and administrators group.
D. The administrators group and fred group are deleted. - ANSWER-A. Fred is
deleted from the administrators group.
While using Empire in post-exploitation, a penetration tester wishes to perform
a simulated attempt to send data out from the environment to see if the client
Incident Response or blue teams identify it. In which category of Empire
modules should they look for this functionality?
, A. Exploitation
B. Fun
C. Lateral movement
D. Exfiltration - ANSWER-D. Exfiltration
A penetration tester has gained access to a Linux machine and would like to
collect information about machines with which the compromised machine is
currently communicating with. Which of the following commands will provide
this information?
A. nmap -sS <targetIP>
B. ss -t state established
C. ipconfig /all
D. hostname - ANSWER-B. ss -t state established
MSBuild accepts code in which format to execute inline tasks for bypassing
application control?
A. CSV
B. XML
C. JSON
D. TXT - ANSWER-B. XML
Which of the following is most commonly the primary access mechanism for
Linux systems?
