SANS 560 GPEN EXAM WITH WELL VERIFIED
QUESTIONS AND ANSWERS|| ALREADY
GRADED A+ || GUARANTEED PASS || LATEST
VERSION 2025
Defining a Web App (5:58) - ANSWER-The web app is accessed via
HTTP/HTTPS across the network; second, web apps involve a web server.
Many web apps involve a backend database that stores information for the web
app. Most popular database backends are Microsoft SQLServer, Oracle, and
MySQL.
Deleting users/accounts (4:20) - ANSWER-C:\> net localgroup [group]
[logon_name} /del will remove any users which were created during testing.
Ensure that an inventory and log of all changes is kept during testing to ensure
everything can be reverted
Denial of Service Check (1:86) - ANSWER-Some DOS attacks merely verify
version number of the target service and are not very dangerous. The other type
of DOS attacks first verify that the service is running, and then start the attack.
If the service dies, that machine is now vulnerable, and could have a devastating
impact on the network. Which type of test must be explicitly stated prior to
starting
Detecting Reflected versus stored XSS Vulns (5:105) - ANSWER-***See page
for detailed about each different XSS vulnerability***
Determining Service names (4:28) - ANSWER-run the command C:\>sc query
state=all, in order to find out what the specific name is for the service you are
,trying to interact with. You man also type services.msc to invoke the services
GUI and look for the specific service you want.
Determining which client-side Programs are used (3:14) - ANSWER-Some
target network personnel may provide any information the tester is looking for.
Secondly, you can analyze metadata in any documents the target organization
has provided. You could also use User-Agent strings when the customer surfs to
your network to find out what type of browsers they are using
Dig Command (1:143) - ANSWER-In modern Linux Distro's the NSLookup
command can no longer perform zone transfers. The DIG command can now
provide this functionality
Obtaining Windows PW Representations (4:138) - ANSWER-Meterpreter has a
hashdump feature in the priv module to extract hashes. This rides over attacker-
to-Meterpreter comm channels and not typcial NetBIOS & SMB ports. The
Mimikatz tool pulls hashes and possibly clear text passwords from memory,
combing through Windows machine's LSASS process in various areas looking
for stored auth creds. On a domain controller the tester could use the Volume
Shadow Copy service (VSS) to create a copy of the ntds.dit file and then parse it
using the suite of parsing tools from Csaba Barta. sniff challenge/response
traffic from the network as a user mounts a file share and authenticates to the
domain.
Open Source Security Testing Methodology Manual (OSSTMM) (1:24) -
ANSWER-Document that is focused on improving the transparency of
enterprise security, as well as the methodology of the testers. Also strives for
repeatability, consistency, and high quality in numerous kinds of security tests.
Topics addressed include scoping, metrics, human security testing, and data
network testing
Open Web Application Security Project (OWASP) (1:28) - ANSWER-
Document focuses purely on web app testing. Detailed description of
determining the business risk posed by findings.
,OpenVAS (2:116) - ANSWER-Completely free vulnerability scanner. While
new plugins are distributed with and for OpenVAS, the commercial version of
Nessus is still 50% faster and has more plugins.
Orrey, Kev (Toggmeister) (1:29) - ANSWER-Wrote Pentesting Framework
Network Infrastructure Firewall Concerns (1:44) - ANSWER-When testing
machines across the internet, firewalls may block inbound/outbound packets
and could lead to inaccurate results
Network Services Test (1:20) - ANSWER-Involves finding target systems on a
network, looking for openings in their underlying operating systems and
available network services, then exploiting them remotely. Can happen
remotely across the internet against org's perimeter network or from within their
own facilities, to evaluate the security of the internal network or DMZ
Network Sweeping (2:6) - ANSWER-Identifies which addresses are in use by
sending probe packets to all network addresses in the target range. If a response
is received there is an active system
Network Tracing (2:6) - ANSWER-closely related activity to network
sweeping, in which we attempt to discern the topology of the target network by
drawing a network map
NeXCSer Tool (2:120) - ANSWER-Designed by Robin Wood, is a great script
for merging Nessus result reports and converting them into a CSV.
Nickerson, Chris (1:26) - ANSWER-Lead for developing Penetration Testing
Execution Standard (PTES)
, OS Fingerprinting (2:6) - ANSWER-All networks have different assets that run
different operating systems and crafting specific test packets designed to
measure the different behaviors, we can remotely determine the target's OS.
Some sniffing tools include functionality to discern what type of OS formulated
given packets in an entire passive sense
Other Vuln Scanning tools (2:128) - ANSWER-Rapid7 - comprehensive
vulnerability scanning/mgmt solution. Nexpose and Metasploit Pro - Provides a
GUI for Metasploit and integration between its scanning and exploitation
components; Saint - derived from the Security Administrators Tool for
Analyzing Networks (SATAN) and is the original Vuln scanner; BeyondTrust's
NMAP Scripting Engine Script Examples (2:108) - ANSWER-Located within
the "Scripts" directory a file called "scripts.db" inventories dozens of scripts
within the directory. Example syntax "# grep safe /opt/nmap-
7.60/scripts/script.db" "# intrusive /opt/nmap-7.60/scripts/script.db" *** See
book for more***
NMAP Scripting Engine Scripts (2:105) - ANSWER-NMAP is written in the
LUA scripting language. It is flexible and extremely fast. It's interpreter is free,
cross-platform, and has a small footprint. The Snort IDS and wireshark offer
LUA support. Detailed step-by-step output can be accessed by using the --
script-trace option. The --script-help option can aid in command line invocation
NMAP Support for IPv6 (2:57) - ANSWER-Can be useful because many
firewalls & IPSs do not filter, block, or detect attacks transmitted via IPv6.
NMAP TCP Port Scan Types: Addt'nl (2:53) - ANSWER-ACK Scan(-sA); FIN
Scan(-sF); NMAP Null Scan(-sN); NMAP Xmas Tree Scan(-sX); Maimon Scan
(-sM)
NMAP TCP Port Scan Types: Connect Scan (2:51) - ANSWER-Can be invoked
using the "-sT" flag. If a connection is made, the port is labeled as open, and the
connection is torn down with a RESET packet from the testing machine
QUESTIONS AND ANSWERS|| ALREADY
GRADED A+ || GUARANTEED PASS || LATEST
VERSION 2025
Defining a Web App (5:58) - ANSWER-The web app is accessed via
HTTP/HTTPS across the network; second, web apps involve a web server.
Many web apps involve a backend database that stores information for the web
app. Most popular database backends are Microsoft SQLServer, Oracle, and
MySQL.
Deleting users/accounts (4:20) - ANSWER-C:\> net localgroup [group]
[logon_name} /del will remove any users which were created during testing.
Ensure that an inventory and log of all changes is kept during testing to ensure
everything can be reverted
Denial of Service Check (1:86) - ANSWER-Some DOS attacks merely verify
version number of the target service and are not very dangerous. The other type
of DOS attacks first verify that the service is running, and then start the attack.
If the service dies, that machine is now vulnerable, and could have a devastating
impact on the network. Which type of test must be explicitly stated prior to
starting
Detecting Reflected versus stored XSS Vulns (5:105) - ANSWER-***See page
for detailed about each different XSS vulnerability***
Determining Service names (4:28) - ANSWER-run the command C:\>sc query
state=all, in order to find out what the specific name is for the service you are
,trying to interact with. You man also type services.msc to invoke the services
GUI and look for the specific service you want.
Determining which client-side Programs are used (3:14) - ANSWER-Some
target network personnel may provide any information the tester is looking for.
Secondly, you can analyze metadata in any documents the target organization
has provided. You could also use User-Agent strings when the customer surfs to
your network to find out what type of browsers they are using
Dig Command (1:143) - ANSWER-In modern Linux Distro's the NSLookup
command can no longer perform zone transfers. The DIG command can now
provide this functionality
Obtaining Windows PW Representations (4:138) - ANSWER-Meterpreter has a
hashdump feature in the priv module to extract hashes. This rides over attacker-
to-Meterpreter comm channels and not typcial NetBIOS & SMB ports. The
Mimikatz tool pulls hashes and possibly clear text passwords from memory,
combing through Windows machine's LSASS process in various areas looking
for stored auth creds. On a domain controller the tester could use the Volume
Shadow Copy service (VSS) to create a copy of the ntds.dit file and then parse it
using the suite of parsing tools from Csaba Barta. sniff challenge/response
traffic from the network as a user mounts a file share and authenticates to the
domain.
Open Source Security Testing Methodology Manual (OSSTMM) (1:24) -
ANSWER-Document that is focused on improving the transparency of
enterprise security, as well as the methodology of the testers. Also strives for
repeatability, consistency, and high quality in numerous kinds of security tests.
Topics addressed include scoping, metrics, human security testing, and data
network testing
Open Web Application Security Project (OWASP) (1:28) - ANSWER-
Document focuses purely on web app testing. Detailed description of
determining the business risk posed by findings.
,OpenVAS (2:116) - ANSWER-Completely free vulnerability scanner. While
new plugins are distributed with and for OpenVAS, the commercial version of
Nessus is still 50% faster and has more plugins.
Orrey, Kev (Toggmeister) (1:29) - ANSWER-Wrote Pentesting Framework
Network Infrastructure Firewall Concerns (1:44) - ANSWER-When testing
machines across the internet, firewalls may block inbound/outbound packets
and could lead to inaccurate results
Network Services Test (1:20) - ANSWER-Involves finding target systems on a
network, looking for openings in their underlying operating systems and
available network services, then exploiting them remotely. Can happen
remotely across the internet against org's perimeter network or from within their
own facilities, to evaluate the security of the internal network or DMZ
Network Sweeping (2:6) - ANSWER-Identifies which addresses are in use by
sending probe packets to all network addresses in the target range. If a response
is received there is an active system
Network Tracing (2:6) - ANSWER-closely related activity to network
sweeping, in which we attempt to discern the topology of the target network by
drawing a network map
NeXCSer Tool (2:120) - ANSWER-Designed by Robin Wood, is a great script
for merging Nessus result reports and converting them into a CSV.
Nickerson, Chris (1:26) - ANSWER-Lead for developing Penetration Testing
Execution Standard (PTES)
, OS Fingerprinting (2:6) - ANSWER-All networks have different assets that run
different operating systems and crafting specific test packets designed to
measure the different behaviors, we can remotely determine the target's OS.
Some sniffing tools include functionality to discern what type of OS formulated
given packets in an entire passive sense
Other Vuln Scanning tools (2:128) - ANSWER-Rapid7 - comprehensive
vulnerability scanning/mgmt solution. Nexpose and Metasploit Pro - Provides a
GUI for Metasploit and integration between its scanning and exploitation
components; Saint - derived from the Security Administrators Tool for
Analyzing Networks (SATAN) and is the original Vuln scanner; BeyondTrust's
NMAP Scripting Engine Script Examples (2:108) - ANSWER-Located within
the "Scripts" directory a file called "scripts.db" inventories dozens of scripts
within the directory. Example syntax "# grep safe /opt/nmap-
7.60/scripts/script.db" "# intrusive /opt/nmap-7.60/scripts/script.db" *** See
book for more***
NMAP Scripting Engine Scripts (2:105) - ANSWER-NMAP is written in the
LUA scripting language. It is flexible and extremely fast. It's interpreter is free,
cross-platform, and has a small footprint. The Snort IDS and wireshark offer
LUA support. Detailed step-by-step output can be accessed by using the --
script-trace option. The --script-help option can aid in command line invocation
NMAP Support for IPv6 (2:57) - ANSWER-Can be useful because many
firewalls & IPSs do not filter, block, or detect attacks transmitted via IPv6.
NMAP TCP Port Scan Types: Addt'nl (2:53) - ANSWER-ACK Scan(-sA); FIN
Scan(-sF); NMAP Null Scan(-sN); NMAP Xmas Tree Scan(-sX); Maimon Scan
(-sM)
NMAP TCP Port Scan Types: Connect Scan (2:51) - ANSWER-Can be invoked
using the "-sT" flag. If a connection is made, the port is labeled as open, and the
connection is torn down with a RESET packet from the testing machine
