Download SANS 560 EXAM 2024/2025 WITH 100% ACCURATE SOLUTIONS and more Exams Nursing in PDF only on Docsity!
SANS 560 EXAM 2024/2025 WITH 100%
ACCURATE SOLUTIONS
(Question 1) Analyze the screenshot below, of information gathered during a penetration test. What is the source of information being displayed. (image) of robots.txt An HTTP error from IIS An Apache httpd.conf file A robots.txt file from a webserver A file ACL from IIS version 6 - Precise Answer ✔✔A robots.txt file from a webserver (Question 2) Analyze the screenshot below. What type of vulnerability is being attacked? (image) Windows PowerShell Windows Server service Internet Explorer Local Security Authority - Precise Answer ✔✔Windows Server service (Question 3) Examine the following Nmap command and results, if the SSH port was changed to port 23 instead of the default port, why would the output not show the results of the NSE script.
(image) -sV is needed to do a Version Scan -p 23 is needed to designate the port to scan Port 23 is reserved for Telnet only. - Precise Answer ✔✔-sV is needed to do a Version Scan (Explanation ) The Nmap scan in the above command only does a TCP Connect scan and does not detect what is running on the port. It simply checks whether the port is open or not. A version scan (-sV) is needed in this case for the Nmap scan to realize SSH is running on port 23 instead of the default Telnet service. Once the script sees that SSH is running on Port 23, it can detect which protocol is supported. It is possible in the configuration of services for system administrators to change the default ports of services to a different port as long as it is free. By not specifying a port range the Nmap default port list is used in the scan which contains port 23. -sC is used to run all N SE scripts in the default category. (Question 5) You are penetration testing a client's DMZ servers. You run out of time at the client site and decide to continue from your home network. You have talked with your ISP and ensured that all ports are allowed out and they are aware of your penetration testing activities. You start a remote vulnerability scan that includes some application layer exploits that do not conform to protocol specifications. For some reason the vulnerability scanner will not run all the scans on the target system. The connection appears to be fine as you are able to access the client site from your system. You test the vulnerability scanner on a system located on your local test network segment and the scan completes successfully. You investigate the connection issue and realize that the same vulnerability scan tests fail every time when connecting out of your network. What is the most likely reason for the failure? (Answer) You - Precise Answer ✔✔An application layer firewall is dropping packets that do not conform to specifications Question 6
( Question 8 ) Analyze the command output below. What conclusion can be drawn? user@desktop:~$ sudo nmap -sU 192.168.116. Starting Nmap 4.53 ( http://insecure.org ) at 2010-10-01 07:27 EDT Interesting ports on 192.168.116.9: Not shown: 1485 closed ports PORT STATE SERVICE 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 5353/udp open zeroconf Nmap done: 1 IP address (1 host up) scanned in 1.556 seconds ( Answer ) The source system did not get a response to the packet sent to 137/udp. The target system sent a RST for port reported as closed. The source system did not respond to any probe packet. The target system responded with an ICMP unreachable for port 138. - Precise Answer ✔✔Incorrect: The source system did not respond to any probe packet. ( Correct Answer )
The source system did not get a response to the packet sent to 137/udp. ( Explanation ) During an nmap udp scan, a host may send an ICMP unreachable for closed UDP ports. If that occurs, then the result will be that nmap reports the port as closed. If the target does not respond to the probe packet, the port is reported as open|filtered. (Question 9) What is show in the image below (image) (Answer) An unsuccessful attempt to create a remote command shell. An unsuccessful attempt to compromise the \f"l'C service. A remote desktop session opened on a Windows XP host. A VNC session injected by a successful metasploit compromise. - Precise Answer ✔✔A VNC session injected by a successful metasploit compromise. ( Question 10 ) 5956890 During the reconnaissance phase of a penetration test, the tester finds the public document metadata shown below from an employee of the corporation being tested. ExifTool Version Number : 8. File Name : Job Application 10 for web.pdf
The metadata provides a potential username in the Author: field which can be used for social engineering, reconnaissance, phishing, and other methods. The document does not have any reference to web applications, or password hashes. A penetration tester obtains telnet access to a target machine using a captured credential. While trying to transfer her exploit to the target machine, the network intrusion prevention systems keeps detecting her exploit and terminating her connection. Which of the following actions will help the penetration tester transfer an exploit and compile it in the target system? ( Answer ) Use the telnet service's ECHO option to pull the file onto the target machine. Use the copy ability and paste the file directly on the target machine. Use the scp service, protocol SSHv2 to pull the file onto the target machine. Use the http service's PUT command to push the file onto the target machine.Use the ftp service in passive mode to push the file onto the target machine. - Precise Answer ✔✔Incorrect: Use the telnet service's ECHO option to pull the file onto the target machine. ( Correct Answer ) Use the scp service, protocol SSHv2 to pull the file onto the target machine. ( Explanation ) The protocols http, ftp and telnet are all clear text. Therefore, using any of those will allow the NIDS to detect the exploit and terminate the connection. Even using copy and paste will make use of the telnet access which is also in clear text. Therefore, the only option is to use the ssh protocol which encrypts the traffic. You have a client-side exploit that takes advantage of a vulnerability in Adobe Acrobat products. You are performing a blind penetration test on an organization with unknown types and versions of software. Which of the following actions will best predict whether your exploit will succeed?
( Answer ) View the metadata of a recent PDF created by an employee of the organization Run MBSA against Windows computers on the organization's network Use the fingerprinting feature of nmap against a range of the organization's workstations - Precise Answer ✔✔Incorrect: Use the fingerprinting feature of nmap against a range of the organization's workstations ( Correct Answer ) View the metadata of a recent PDF created by an employee of the organization ( Explanation ) Methods for checking whether an organization uses exploitable software include checking metadata of documents generated by the software, or just asking. However, since this is a blind penetration test, the best approach would be to check the metadata of a PDF generated by the organization. Running nmap's fingerprinting tool would only identify the operating system, not the applications on the system, and MBSA would only identify Microsoft products, not Adobe Acrobat. What tool could you use to capture and crack LanMAN Challenge/Responses over a network? ( Answer ) Cain WinCrack Wireshark John the Ripper - Precise Answer ✔✔Cain You are conducting a penetration test against a web application and are trying to determine the referring site for a pop-up window by viewing the raw HTTP response header. Which feature offered by a non-transparent proxy will produce this?
Scanning tools only recognize IP addresses. A single domain name can only have one IP address. A single IP may have multiple domains. - Precise Answer ✔✔A single domain name may have multiple IP addressess. Analyze the excerpt from a packet capture below. Given the host is up, what conclusion can be correctly drawn about host 192.168.116.101?
tcpdump -i eth0 -nn host 192.168.116.
19:15:59.750681 IP 192.168.116.9.36166 > 192.168.116.101.130: S 1545215088:1545215088(0) win 5840 <mss 1460,sackOK,timestamp 1133317920 0,nop,wscale 5> 19:15:59.750812 IP 192.168.116.9.56297 > 192.168.116.101.131: S 1537851107:1537851107(0) win 5840 <mss 1460,sackOK,timestamp 1133317920 0,nop,wscale 5> 19:15:59.750937 IP 192.168.116.9.60783 > 192.168.116.101.132: S 1531969710:1531969710(0) win 5840 <mss 1460,sackOK,timestamp 1133317920 0,nop,wscale 5> 19:15:59.751053 IP 192.168.116.9.54178 > 192.168.116.101.133: S 1543184417:1543184417(0) win 5840 <mss 1460,sackOK,timestamp 1133317920 0,nop,wscale 5> 19:15:59.751168 IP 192.168.116.9.33278 > 192.168.116.101.134: S 1543045357:1543045357(0) win 5840 <mss 1460,sackOK,timestamp 1133317920 0,n - Precise Answer ✔✔It is not responding to connection attempts on tcp ports 130-140. Why is OSSTMM beneficial to the pen tester? ( Answer ) It provides report templates It provides in-depth knowledge on tools It includes an automated testing engine similar to metasploit
It provides a legal and contractual framework for testing - Precise Answer ✔✔It provides report templates Which system would be most appropriate to scan using Nessus with Safe Checks disabled? ( Answer ) A newly installed system, not in production A high visibility production system A low visibility production system Your network's security infrastructure - Precise Answer ✔✔A newly installed system, not in production A penetration tester obtains user-level access to a target machine and is about to start uploading her tools. Her objective is to use the newly obtained access as a pivot to attempt further penetration of the network. Which of the following options are files/programs that could help the penetration tester to achieve her objective? ( Answer ) Network sniffers, Local privilege escalation exploits, Private keys obtained from other penetrated systems Network sniffers, Additional legitimate file transfer services, Private keys obtained from other penetrated systems Local privilege escalation exploits, Operating system patches, Additional legitimate file transfer services Operating system patches, Additional legitimate file transfer services, Private keys obtained from other penetrated systems
( Question 23 ) Which of the following TCP packet sequences are common during a SYN (or half-open) scan? ( Answer ) The scanning computer sends SYN-ACK and no response is received from the target computer The scanning computer sends SYN-ACK and the target computer responds with RST-ACK The scanning computer sends SYN and the target computer responds with RST-ACK The scanning computer sends SYN and a SYN-FIN is received from the target computer - Precise Answer ✔✔The scanning computer sends SYN and the target computer responds with RST-ACK You have gained shell on a Windows host and want to find other machines to pivot to, but the rules of engagement state that you can only use tools that are already available. How could you find other machines on the target network? ( Answer ) Use the "edit" utility to read the target's HOSTS file. Use the "net share" utility to see who is connected to local shared drives. Use the "ping" utility in a "for" loop to sweep the network. Use the "scapy" utility to automatically discover other hosts. - Precise Answer ✔✔Use the "ping" utility in a "for" loop to sweep the network. You've just gained access to a file server that contains some interesting files. One of these files contains the extension ".hashes". Which of the following applications would give you insight into what kind of hashes are represented by the following string: 095C4F1A0A1218000F
( Answer ) Ophcrack hashes plus salting Brutus's hashme feature Hydra's default hashing algorithm Cain's text to hash calculator - Precise Answer ✔✔Cain's text to hash calculator ( Explanation ) This is the password hash for the word "password" using cisco's password encryption algorithm. Cain's built-in hash calculator is useful in digesting quick guesses that you might have regarding passwords and can export the values in MD2, MD4, MD5, SHA-1, LANMAN, NTLM MySQL323 and Cisco Pix. You are conducting a pen test. The information you are given is limited to a system domain name. What type of test are you conducting? ( Answer ) Black box testing White box testing Crystal box testing Hybrid testing - Precise Answer ✔✔Black box testing ( Explanation ) A test with nearly no information is a black box test - this is the correct answer. Hybrid testing starts as black box testing and moves to a crystal box format. A crystal box (or white box) test has all the information available unlike the tests in the question that are hidden.
( Explanation ) scapy relies on the underlying operating system to construct Layer 2 information to use as default. If not explicitly defined, scapy and the underlying operating system construct Layer 2 information which is used as default. ( Question 28 ) With respect to rainbow tables, what is a chain and a reduction function? ( Answer ) A chain is the hashing mechanism used to convert a password to a hash. A reduction function makes a chain smaller in preparation for another chaining iteration. A chain is the relationship map between a password and its one-way hash. A reduction function maps the hashes back to a plain text password. A chain is the link between the hash and password. A reduction function is the code required to break the hash into the smallest amount of data. A chain is the smallest segment of the hash that can be used to pass on to the reduction function. A reduction function is the code that hashes the chain. - Precise Answer ✔✔A chain is the hashing mechanism used to convert a password to a hash. A reduction function makes a chain smaller in preparation for another chaining iteration. ( Correct Answer ) 5956890 A chain is the relationship map between a password and its one-way hash. A reduction function maps the hashes back to a plain text password. ( Explanation ) Chains are the relationship between a password and its one way hash. For example a rainbow table would create a chain between the password "secret" and MD5 hash "5ebe2294ecd0e0f08eab7690d2a6ee69". Since hashes by nature are not easily reversible, the reduction function would take a small segment of the hash, perhaps the first several characters "5ebe229" and
from these digits creates the new password "5ebe229" which maps back to the hash and ultimately to the original password. The new password would then be hashed and reduced creating a new chain between the original password "secret" and the new hash. ( Question 30 ) 5956890 While scanning a remote system that is running a web server with a UDP scan and monitoring the scan with a sniffer, you notice that the target is responding with ICMP Port Unreachable once a second. What operating system is the target likely running? ( Answer ) Windows Mac OS X OpenBSD Linux - Precise Answer ✔✔Incorrect: Windows ( Correct Answer ) 5956890 Linux ( Explanation ) Some versions of Linux will throttle ICMP port unreachables to 1/second. This is the only operating system that throttles these responses in this manner, none of the other operating systems listed have this mechanism in place. ( Question 29 ) Which single tool could you use to crack all of the password hashes below?
- LanMan challenge-Response
- APOP-MD
Attack on the physical machine Attack of a client application that retrieves content from the network - Precise Answer ✔✔Incorrect: Attack that escalates user privilege to root or administrator ( Correct Answer ) 5956890 Attack of a service listening on a network port ( Explanation ) Service-side exploits attack a service that is listening on the network. The service gathers packets from the network, passively waiting for a user on a client machine to initiate a connection. To exploit the service, the attacker generates exploit packets destined for the target service. No user interaction on the target machine is required. ( Question 32 ) 5956890 You have been contracted to perform a black box pen test against the Internet facing servers for a company. They want to know, with a high level of confidence, if their servers are vulnerable to external attacks. Your contract states that you can use all tools available to you to pen test the systems. What course of action would you use to generate a report with the lowest false positive rate? ( Answer ) Use a port scanner to find open service ports and generate a report listing all vulnerabilities associated with those listening services. Use a vulnerability or port scanner to find listening services and then try to exploit those services. Log into the system and record the patch levels of each service then generate a report that lists known vulnerabilities for all the running services. Use a vulnerability scanner to generate a report of vulnerable services. - Precise Answer ✔✔Correct...
( Answer ) 5956890 Use a vulnerability or port scanner to find listening services and then try to exploit those services. ( Explanation ) Finding listening services with a port or vulnerability scanner will give you an idea of the listening services and might even list known vulnerabilities associated with those services, but to be sure the vulnerability is real you need to actually exploit the vulnerability. ( Question 33 ) 5956890 What section of the penetration test or ethical hacking engagement final report is used to communicate the agreed upon scope of the test? ( Answer ) Conclusions Executive Summary Findings Introduction - Precise Answer ✔✔( Answer ) Introduction ( Explanation ) The Introduction component of the report is a one-to-three page section provides an overview of the project so that the reader understands when the project occurred, what was included in the scope (and possibly items purposely left out of the scope, if applicable), and who participated in the test. ( Question 34 ) 5956890 Which of the following describes a typical Stored Cross-Site Scripting (XSS) scenario?
