GIAC PENETRATION TESTER (GPEN) –QUESTIONS AND CORRECT ANSWERS (VERIFIED
ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT DOWNLOAD PDF.
Core Domains:
Comprehensive Pen Test Planning, Scoping, and Reconnaissance
Scanning, Vulnerability Estimation, and Enumeration
Attacking Password Exploitation and General Password Hashing
Exploitation Fundamentals, Post-Exploitation, and Pivoting
Bypassing Defenses and Advanced Evasion Techniques
Domain Escalation and Active Directory Attacks
Web Application Reconnaissance and Exploitation
Penetration Testing Legalities, Compliance, and Reporting
Introduction
The GIAC Penetration Tester (GPEN) comprehensive assessment serves as a professional-
grade baseline measurement for information security practitioners validating their tactical, real-
world target exploitation capabilities. This examination strictly evaluates an engineer’s
underlying technical competence across modern methodology, applied exploitation strategies,
and regulatory-ethical frameworks. Featuring structured multiple-choice and complex,
scenario-based evaluations, the test bank challenges candidates to demonstrate analytical
decision-making under operational constraints. By focusing heavily on defensive
circumvention, post-exploitation environment pivoting, and Active Directory architecture
compromise, the exam ensures certified professionals possess the critical thinking skills
, required to safely probe, compromise, and systematically document systemic enterprise
vulnerabilities.
Section One: Questions 1–100
Question 1
During a passive reconnaissance phase targeting a multinational enterprise, a penetration tester extracts
metadata from publicly available PDF documents on the organization's website. The tester discovers
internal naming conventions, email structures, and specific software versions like "Acrobat Distiller 11".
Which of the following represents the primary operational risk to the target organization based on this
discovery?
A. The disclosure of document authors allows immediate brute-force access to perimeter VPN gateways
without further enumeration.
B. The metadata explicitly exposes internal IP addresses belonging to the corporate core routing layer.
C. Attackers can leverage the specific software versions and user naming schemas to craft highly
targeted spear-phishing and client-side exploitation campaigns.
D. Public metadata allows external entities to map the exact physical layout of the corporate data center.
🟢 Correct answer: C
🔴 RATIONALE: Metadata extraction provides secondary identifiers such as usernames, software
versions, and operating system paths. This data does not map physical data centers or guarantee
perimeter authentication bypass directly, but it significantly weaponizes social engineering and targeted
client-side exploits by revealing valid user formats and vulnerable software baselines.
Question 2
A penetration tester executing an Nmap scan wants to minimize detection by an enterprise Intrusion
Detection System (IDS). The tester opts for a TCP SYN scan but sets the timing template to -T1
(Sneaky) and configures a source port of 53. Why would a source port modification assist in bypassing
older firewall or IDS configurations?
,A. Port 53 natively encrypts the TCP handshake flags via DNSSEC protocols, shielding the traffic from
inspection.
B. Legacy packet filters and stateful inspection engines often implement permissive rules allowing any
incoming traffic originating from common infrastructure services like DNS to pass unhindered.
C. Setting the source port to 53 forces Nmap to communicate using UDP instead of TCP, rendering TCP
flags invisible to the security appliance.
D. The -T1 flag automatically fragments all packets into 8-byte segments, matching standard DNS packet
lengths.
🟢 Correct answer: B
🔴 RATIONALE: Historically, network administrators constructed permissive inbound firewall policies for
traffic originating from source port 53 (DNS) or 80/443 (HTTP/HTTPS) to avoid disrupting critical
resolution or web updates. Modifying the source port exploits these static, poorly designed rulesets,
whereas DNSSEC does not encrypt standard TCP flag handshakes.
Question 3
While performing an internal security assessment, a tester intercepts NetBIOS Name Service (NBNS)
and Link-Local Multicast Name Resolution (LLMNR) broadcast requests using Responder. The tester
successfully captures cryptographic hashes from local workstations attempting to resolve non-existent
network shares. What specific hash format is captured through this link-local name resolution spoofing
technique?
A. Kerberos v5 TGS-REP ticket hashes
B. NetNTLMv2 hashes
C. Plaintext NT hashes
D. SHA-256 database authentication hashes
🟢 Correct answer: B
🔴 RATIONALE: Responder acts as a malicious authority responding to LLMNR, NBT-NS, and MDNS
broadcast resolution failures. When a target Windows client attempts to authenticate against the spoofed
, resource over SMB, it transmits a NetNTLMv1 or NetNTLMv2 challenge-response hash, which can then
be captured for offline cracking or relaying.
Question 4
A penetration tester is evaluating a web application and encounters an input field vulnerable to SQL
Injection. The backend database is confirmed to be Microsoft SQL Server. The tester executes the
command EXEC xp_cmdshell 'whoami'; but receives an error stating the procedure is blocked. Which
administrative command sequence must the tester inject to enable this extended stored procedure?
A. ALTER ROLE db_owner ADD MEMBER xp_cmdshell;
B. SET TRANSACTION ISOLATION LEVEL LEVEL_READ_COMMITTED;
C. EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',
1; RECONFIGURE;
D. UPDATE sys.configurations SET value = 1 WHERE name = 'xp_cmdshell';
🟢 Correct answer: C
🔴 RATIONALE: In modern MS SQL Server installations, xp_cmdshell is disabled by default for security
hardening. To toggle it execution-ready via SQL injection (assuming the current database user context
possesses sufficient administrative privileges, such as sysadmin ), the advanced configuration options
must be enabled and reconfigured first.
Question 5
During an external network penetration test, you discover an exposed Apache Tomcat administrative
interface. You successfully gain access using default credentials (tomcat:tomcat). What is the most direct
methodology to achieve remote code execution on the underlying operating system through this
interface?
A. Execute an arbitrary file read vulnerability via the HTTP TRACE method.
B. Upload a malicious Java Archive (JAR) file into the server's shared library folder.
C. Deploy a custom web application compressed as a Web Application Archive (WAR) file containing a
Java Server Pages (JSP) reverse shell.
D. Issue a serialized PHP payload directly to the Tomcat server's default context path.
ANSWERS) PLUS RATIONALES 2026 Q&A | INSTANT DOWNLOAD PDF.
Core Domains:
Comprehensive Pen Test Planning, Scoping, and Reconnaissance
Scanning, Vulnerability Estimation, and Enumeration
Attacking Password Exploitation and General Password Hashing
Exploitation Fundamentals, Post-Exploitation, and Pivoting
Bypassing Defenses and Advanced Evasion Techniques
Domain Escalation and Active Directory Attacks
Web Application Reconnaissance and Exploitation
Penetration Testing Legalities, Compliance, and Reporting
Introduction
The GIAC Penetration Tester (GPEN) comprehensive assessment serves as a professional-
grade baseline measurement for information security practitioners validating their tactical, real-
world target exploitation capabilities. This examination strictly evaluates an engineer’s
underlying technical competence across modern methodology, applied exploitation strategies,
and regulatory-ethical frameworks. Featuring structured multiple-choice and complex,
scenario-based evaluations, the test bank challenges candidates to demonstrate analytical
decision-making under operational constraints. By focusing heavily on defensive
circumvention, post-exploitation environment pivoting, and Active Directory architecture
compromise, the exam ensures certified professionals possess the critical thinking skills
, required to safely probe, compromise, and systematically document systemic enterprise
vulnerabilities.
Section One: Questions 1–100
Question 1
During a passive reconnaissance phase targeting a multinational enterprise, a penetration tester extracts
metadata from publicly available PDF documents on the organization's website. The tester discovers
internal naming conventions, email structures, and specific software versions like "Acrobat Distiller 11".
Which of the following represents the primary operational risk to the target organization based on this
discovery?
A. The disclosure of document authors allows immediate brute-force access to perimeter VPN gateways
without further enumeration.
B. The metadata explicitly exposes internal IP addresses belonging to the corporate core routing layer.
C. Attackers can leverage the specific software versions and user naming schemas to craft highly
targeted spear-phishing and client-side exploitation campaigns.
D. Public metadata allows external entities to map the exact physical layout of the corporate data center.
🟢 Correct answer: C
🔴 RATIONALE: Metadata extraction provides secondary identifiers such as usernames, software
versions, and operating system paths. This data does not map physical data centers or guarantee
perimeter authentication bypass directly, but it significantly weaponizes social engineering and targeted
client-side exploits by revealing valid user formats and vulnerable software baselines.
Question 2
A penetration tester executing an Nmap scan wants to minimize detection by an enterprise Intrusion
Detection System (IDS). The tester opts for a TCP SYN scan but sets the timing template to -T1
(Sneaky) and configures a source port of 53. Why would a source port modification assist in bypassing
older firewall or IDS configurations?
,A. Port 53 natively encrypts the TCP handshake flags via DNSSEC protocols, shielding the traffic from
inspection.
B. Legacy packet filters and stateful inspection engines often implement permissive rules allowing any
incoming traffic originating from common infrastructure services like DNS to pass unhindered.
C. Setting the source port to 53 forces Nmap to communicate using UDP instead of TCP, rendering TCP
flags invisible to the security appliance.
D. The -T1 flag automatically fragments all packets into 8-byte segments, matching standard DNS packet
lengths.
🟢 Correct answer: B
🔴 RATIONALE: Historically, network administrators constructed permissive inbound firewall policies for
traffic originating from source port 53 (DNS) or 80/443 (HTTP/HTTPS) to avoid disrupting critical
resolution or web updates. Modifying the source port exploits these static, poorly designed rulesets,
whereas DNSSEC does not encrypt standard TCP flag handshakes.
Question 3
While performing an internal security assessment, a tester intercepts NetBIOS Name Service (NBNS)
and Link-Local Multicast Name Resolution (LLMNR) broadcast requests using Responder. The tester
successfully captures cryptographic hashes from local workstations attempting to resolve non-existent
network shares. What specific hash format is captured through this link-local name resolution spoofing
technique?
A. Kerberos v5 TGS-REP ticket hashes
B. NetNTLMv2 hashes
C. Plaintext NT hashes
D. SHA-256 database authentication hashes
🟢 Correct answer: B
🔴 RATIONALE: Responder acts as a malicious authority responding to LLMNR, NBT-NS, and MDNS
broadcast resolution failures. When a target Windows client attempts to authenticate against the spoofed
, resource over SMB, it transmits a NetNTLMv1 or NetNTLMv2 challenge-response hash, which can then
be captured for offline cracking or relaying.
Question 4
A penetration tester is evaluating a web application and encounters an input field vulnerable to SQL
Injection. The backend database is confirmed to be Microsoft SQL Server. The tester executes the
command EXEC xp_cmdshell 'whoami'; but receives an error stating the procedure is blocked. Which
administrative command sequence must the tester inject to enable this extended stored procedure?
A. ALTER ROLE db_owner ADD MEMBER xp_cmdshell;
B. SET TRANSACTION ISOLATION LEVEL LEVEL_READ_COMMITTED;
C. EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',
1; RECONFIGURE;
D. UPDATE sys.configurations SET value = 1 WHERE name = 'xp_cmdshell';
🟢 Correct answer: C
🔴 RATIONALE: In modern MS SQL Server installations, xp_cmdshell is disabled by default for security
hardening. To toggle it execution-ready via SQL injection (assuming the current database user context
possesses sufficient administrative privileges, such as sysadmin ), the advanced configuration options
must be enabled and reconfigured first.
Question 5
During an external network penetration test, you discover an exposed Apache Tomcat administrative
interface. You successfully gain access using default credentials (tomcat:tomcat). What is the most direct
methodology to achieve remote code execution on the underlying operating system through this
interface?
A. Execute an arbitrary file read vulnerability via the HTTP TRACE method.
B. Upload a malicious Java Archive (JAR) file into the server's shared library folder.
C. Deploy a custom web application compressed as a Web Application Archive (WAR) file containing a
Java Server Pages (JSP) reverse shell.
D. Issue a serialized PHP payload directly to the Tomcat server's default context path.