Download SANS 560 EXAM 2025 WITH 100% ACCURATE SOLUTIONS and more Exams Nursing in PDF only on Docsity!
SANS 560 EXAM 2025 WITH 100% ACCURATE
SOLUTIONS
(Question 1) Analyze the screenshot below, of information gathered during a penetration test. What is the source of information being displayed. (image) of robots.txt An HTTP error from IIS An Apache httpd.conf file A robots.txt file from a webserver A file ACL from IIS version 6 – Answer A robots.txt file from a webserver (Question 2) Analyze the screenshot below. What type of vulnerability is being attacked? (image) Windows PowerShell Windows Server service Internet Explorer Local Security Authority – Answer Windows Server service
(Question 3) Examine the following Nmap command and results, if the SSH port was changed to port 23 instead of the default port, why would the output not show the results of the NSE script. (image) -sV is needed to do a Version Scan -p 23 is needed to designate the port to scan Port 23 is reserved for Telnet only. – Answer -sV is needed to do a Version Scan (Explanation ) The Nmap scan in the above command only does a TCP Connect scan and does not detect what is running on the port. It simply checks whether the port is open or not. A version scan (-sV) is needed in this case for the Nmap scan to realize SSH is running on port 23 instead of the default Telnet service. Once the script sees that SSH is running on Port 23, it can detect which protocol is supported. It is possible in the configuration of services for system administrators to change the default ports of services to a different port as long as it is free. By not specifying a port range the Nmap default port list is used in the scan which contains port 23. -sC is used to run all N SE scripts in the default category. (Question 5) You are penetration testing a client’s DMZ servers. You run out of time at the client site and decide to continue from your home network. You have talked
Comparing the results of successive traceroute commands run from multiple locations – Answer Comparing the results of successive traceroute commands run from multiple locations Question 7 Why is Cross Site Request Forgery (XSRF) so dangerous? ( Answer ) It launches legitimate requests to authenticate on behalf of a victim system. It performs legitimate, authenticated requests without the victim’s knowledge. It performs legitimate, unauthenticated requests without the need for a victim system. It launches devastating DoS attacks that appear to be legitimate, authenticated requests. – Answer It performs legitimate, authenticated requests without the victim’s knowledge. ( Question 8 ) Analyze the command output below. What conclusion can be drawn? user@desktop:~$ sudo nmap -sU 192.168.116.
Starting Nmap 4.53 ( http://insecure.org ) at 2010-10-01 07:27 EDT Interesting ports on 192.168.116.9: Not shown: 1485 closed ports PORT STATE SERVICE 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 5353/udp open zeroconf Nmap done: 1 IP address (1 host up) scanned in 1.556 seconds ( Answer ) The source system did not get a response to the packet sent to 137/udp. The target system sent a RST for port reported as closed. The source system did not respond to any probe packet. The target system responded with an ICMP unreachable for port 138. – Answer Incorrect: The source system did not respond to any probe packet. ( Correct Answer ) The source system did not get a response to the packet sent to 137/udp. ( Explanation )
File Name : Job Application 10 for web.pdf Directory :. File Size : 25 kB File Modification Date/Time : 2010:08:16 11:55:43-04: File Permissions : rw-rw-rw- File Type : PDF MIME Type : application/pdf PDF Version : 1. XMP Toolkit : 3.1- Creator Tool : Acrobat PDFMaker 7.0.7 for Excel Metadata Date : 2010:01:04 12:01:35-05: Format : application/pdf Document ID : uuid:8567b7b8-63a3-4cef-9c1f-452a576a Instance ID : uuid:bb6baf95-2e85-4caa-bcc8-6323f44a1ea Page Count : 2 Create Date : 2010:01:04 12:01:34-05: Author : cjohnson Creator : Acrobat PDFMaker 7.0.7 for Excel Producer : Acrobat Distiller 7.0.5 (Windows) Modify Date : 2010:01:04 12:01:35-05: Title : Job Application Which of the f – Answer Incorrect: A vulnerable web application to exploit ( Correct Answer ) A username to use for social engineering
( Explanation ) The metadata provides a potential username in the Author: field which can be used for social engineering, reconnaissance, phishing, and other methods. The document does not have any reference to web applications, or password hashes. A penetration tester obtains telnet access to a target machine using a captured credential. While trying to transfer her exploit to the target machine, the network intrusion prevention systems keeps detecting her exploit and terminating her connection. Which of the following actions will help the penetration tester transfer an exploit and compile it in the target system? ( Answer ) Use the telnet service’s ECHO option to pull the file onto the target machine. Use the copy ability and paste the file directly on the target machine. Use the scp service, protocol SSHv2 to pull the file onto the target machine. Use the http service’s PUT command to push the file onto the target machine.Use the ftp service in passive mode to push the file onto the target machine. – Answer Incorrect: Use the telnet service’s ECHO option to pull the file onto the target machine. ( Correct Answer ) Use the scp service, protocol SSHv2 to pull the file onto the target machine.
applications on the system, and MBSA would only identify Microsoft products, not Adobe Acrobat. What tool could you use to capture and crack LanMAN Challenge/Responses over a network? ( Answer ) Cain WinCrack Wireshark John the Ripper – Answer Cain You are conducting a penetration test against a web application and are trying to determine the referring site for a pop-up window by viewing the raw HTTP response header. Which feature offered by a non-transparent proxy will produce this? ( Answer ) Inspection Spidering Manipulation Scanning – Answer Inspection You are running a vulnerability scan on a remote network and the traffic is not making it to the target system. You investigate the connection issue and determine that the traffic is making it to the internal interface of your network firewall, but not making it to the external interface or to any systems outside your firewall. What is the most likely problem?
( Answer ) A host based firewall is blocking the traffic Your ISP is blocking the traffic The remote site you are testing is blocking the traffic Your network firewall is blocking the traffic – Answer Incorrect: Your ISP is blocking the traffic Correct Answer ) Your network firewall is blocking the traffic ( Explanation ) Since the traffic is making it to the firewall and not passing through it the only possible choice is that the network based firewall is blocking the traffic. You would see traffic outside the network firewall if it was passing the traffic even if the ISP was blocking the traffic and you would not see traffic on the internal interface of the firewall if a host based firewall was blocking the traffic. When DNS is being used for load balancing, why would a penetration tester choose to identify a scan target by its IP address rather than its host name? (Answer) A single domain name may have multiple IP addressess. Scanning tools only recognize IP addresses. A single domain name can only have one IP address. A single IP may have multiple domains. – Answer A single domain name may have multiple IP addressess.
It includes an automated testing engine similar to metasploit It provides a legal and contractual framework for testing – Answer It provides report templates Which system would be most appropriate to scan using Nessus with Safe Checks disabled? ( Answer ) A newly installed system, not in production A high visibility production system A low visibility production system Your network’s security infrastructure – Answer A newly installed system, not in production A penetration tester obtains user-level access to a target machine and is about to start uploading her tools. Her objective is to use the newly obtained access as a pivot to attempt further penetration of the network. Which of the following options are files/programs that could help the penetration tester to achieve her objective? ( Answer ) Network sniffers, Local privilege escalation exploits, Private keys obtained from other penetrated systems
Network sniffers, Additional legitimate file transfer services, Private keys obtained from other penetrated systems Local privilege escalation exploits, Operating system patches, Additional legitimate file transfer services Operating system patches, Additional legitimate file transfer services, Private keys obtained from other penetrated systems Network sniffers, Local privilege escalation exploits, Operating system patches – Answer Network sniffers, Local privilege escalation exploits, Private keys obtained from other penetrated systems (Question 21) Analyze the screenshot below. What correct conclusion can be made about the target? (image) (Answer) It is not vulnerable to the exploit loaded. It is running SMB service. It has been successfully exploited. It is on the same subnet as the attacker. – Answer It has been successfully exploited.
The scanning computer sends SYN and a SYN-FIN is received from the target computer – Answer The scanning computer sends SYN and the target computer responds with RST-ACK You have gained shell on a Windows host and want to find other machines to pivot to, but the rules of engagement state that you can only use tools that are already available. How could you find other machines on the target network? ( Answer ) Use the “edit” utility to read the target’s HOSTS file. Use the “net share” utility to see who is connected to local shared drives. Use the “ping” utility in a “for” loop to sweep the network. Use the “scapy” utility to automatically discover other hosts. – Answer Use the “ping” utility in a “for” loop to sweep the network. You’ve just gained access to a file server that contains some interesting files. One of these files contains the extension “.hashes”. Which of the following applications would give you insight into what kind of hashes are represented by the following string: 095C4F1A0A1218000F ( Answer ) Ophcrack hashes plus salting Brutus’s hashme feature
Hydra’s default hashing algorithm Cain’s text to hash calculator – Answer Cain’s text to hash calculator ( Explanation ) This is the password hash for the word “password” using cisco’s password encryption algorithm. Cain’s built-in hash calculator is useful in digesting quick guesses that you might have regarding passwords and can export the values in MD2, MD4, MD5, SHA-1, LANMAN, NTLM MySQL323 and Cisco Pix. You are conducting a pen test. The information you are given is limited to a system domain name. What type of test are you conducting? ( Answer ) Black box testing White box testing Crystal box testing Hybrid testing – Answer Black box testing ( Explanation ) A test with nearly no information is a black box test – this is the correct answer. Hybrid testing starts as black box testing and moves to a crystal box format. A crystal box (or white box) test has all the information available unlike the tests in the question that are hidden.
0x800 is a randomly generated value for the Layer 2 Ether type field. – Answer Incorrect: If not explicitly defined, the Ether type field value is created using the hex value of the destination port, in this case 80. ( Correct Answer ) Scapy relies on the underlying operating system to construct Layer 2 information to use as default. ( Explanation ) Scapy relies on the underlying operating system to construct Layer 2 information to use as default. If not explicitly defined, scapy and the underlying operating system construct Layer 2 information which is used as default. ( Question 28 ) With respect to rainbow tables, what is a chain and a reduction function? ( Answer ) A chain is the hashing mechanism used to convert a password to a hash. A reduction function makes a chain smaller in preparation for another chaining iteration. A chain is the relationship map between a password and its one-way hash. A reduction function maps the hashes back to a plain text password. A chain is the link between the hash and password. A reduction function is the code required to break the hash into the smallest amount of data.
A chain is the smallest segment of the hash that can be used to pass on to the reduction function. A reduction function is the code that hashes the chain. – Answer A chain is the hashing mechanism used to convert a password to a hash. A reduction function makes a chain smaller in preparation for another chaining iteration. ( Correct Answer ) 5956890 A chain is the relationship map between a password and its one-way hash. A reduction function maps the hashes back to a plain text password. ( Explanation ) Chains are the relationship between a password and its one way hash. For example a rainbow table would create a chain between the password “secret” and MD5 hash “5ebe2294ecd0e0f08eab7690d2a6ee69”. Since hashes by nature are not easily reversible, the reduction function would take a small segment of the hash, perhaps the first several characters “5ebe229” and from these digits creates the new password “5ebe229” which maps back to the hash and ultimately to the original password. The new password would then be hashed and reduced creating a new chain between the original password “secret” and the new hash. ( Question 30 ) 5956890 While scanning a remote system that is running a web server with a UDP scan and monitoring the scan with a sniffer, you notice that the target is responding with ICMP Port Unreachable once a second. What operating system is the target likely running? ( Answer ) Windows Mac OS X
