SANS 560 GPEN EXAM STUDY GUIDE
2026/2027 COMPLETE QUESTIONS WITH
VERIFIED CORRECT ANSWERS ||
100% GUARANTEED PASS
<NEWEST VERSION>
1. Pen Test - Testing (1:60) - ANSWER ✔ Conducting actual test
2. Pen test Inventory, Recording, & Collaboration (1:108) - ANSWER ✔ Some
testers use a wiki, while others use the Dradis tool which is designed for
collaborative recording and analysis among a group of testers. Magic tree is
also another tool that can be used
3. Pen Test Preparation (1:60) - ANSWER ✔ Could include signing an NDA
between all parties involved. Discuss significant concerns within the test
network. Discuss and agree on ROE.Need to ensure you have official,
written permission from the network owner/organization, even if it's internal
testing
4. Pen Testing Framework (1:29) - ANSWER ✔ Provides step-by-step
walkthrough of every aspect of a network pen test, including specific tools.
5. Pen testing from the cloud (1:82) - ANSWER ✔ Some testers utilize Cloud
based platforms as their attack platforms. Must follow provider's terms of
service when conducting any testing. Some use these platforms for network
, scanning and password cracking utilizing "rented" equipement. Some
providers are more likely to allow IP addresses inbound from CSP
6. Pen Testing the Cloud (1:81) - ANSWER ✔ A complete understanding of
the test environment is required. This will also identify any potential third
party infrastructure. You must obtain permission from the platform provider
to conduct testing
7. Penetration Testing (1:12) - ANSWER ✔ modeling the techniques used by
real-world computer attackers to find vulnerabilities, and under controlled
circumstances, to exploit those flaws in a professional safe manner,
according to designed scop and Rules of engagement to determine business
risk and potential impact, IOT to improve company security policies
8. Penetration Testing (1:9) - ANSWER ✔ model the activities of real world
threats to discover vulnerabilities, then through controlled exploitation,
attempt to determine business risk, and recommend appropriate defenses
9. Scapy: Sending/Receiving Example (2:89) - ANSWER ✔
10.Scapy: Setting Port ranges & TCP Control Bits (2:85) - ANSWER ✔ You
can also specify port ranges by using parentheses around the start port
comma end port. Scapy provides the ability specify TCP Control bits using
the appropriate letters from CEUAPRSF depending on the control bit
combinations you want to set
11.Scapy: Sniffing and reading packets (2:92) - ANSWER ✔ Use the sniff(),
which is not super fast can be used to sniff network traffic. You may miss
some packets/traffic. Instead of pulling packets from a NIC with sniff()
Scapy can read them from a packet capture file using rdpcap(). Scapy can
, write packets into a pcap file using the wrppcap()call, where we can provide
a filename and the packets we want to write.. Scapy can also invoke
Wireshark from the Scapy Python prompt
12.Scapy: Specifying Dest Addresses (2:84) - ANSWER ✔ Scapy provides the
ability to specify destination IP addresses. In addition to specific IP
addresses, Scapy also supports CIDR notation. This provides Scapy the
ability to send the same packet structure to multiple targets
13.Scheduling a Job: The AT and SCHTASKS Commands (4:49) - ANSWER
✔ One of the most common methods for scheduling a job to run in the near
future on a remote Windows machine, you can use the at and schtasks; at is
simple, clean and has easy-to-remember syntax. It's limited in that it runs all
jobs as local SYSTEM, and cannot designate a user acct. The schtasks is
more complex, but supports running jobs as individual users or as local
SYSTEM ***See page for syntax**
14.Schroeder, Will (3:68) - ANSWER ✔ developed Veil Framework
15.Scope Creep (1:78) - ANSWER ✔ a misunderstanding of what should be
tested leads the target organization to add more systems, target
networks/types, and types of testing to the test as it proceeds, and dangerous
and costly proposition for a tester.
16.Which of the following correctly defines the Nmap Scripting Engine
"intrusive" category?
Detects network-accessible backdoors
Looks for a vulnerability
, Detects the version of a target's services
May leave logs, guess passwords, or otherwise impact the target - ANSWER
✔ May leave logs, guess passwords, or otherwise impact the target
17.After scanning a network, a penetration tester has a list of open ports to be
investigated. Which Nmap feature can be used to probe the target machine
and determine what software is actually listening on those ports?
TCP connect scan
Version scanning
UDP port scan
TCP SYN scan - ANSWER ✔ Version scanning
18.Which of the following is a tool that operates as a backdoor, running on a
DC in memory, and allows a secondary password to access any account?
Golden Ticket
Trojan Key
Silver Ticket
2026/2027 COMPLETE QUESTIONS WITH
VERIFIED CORRECT ANSWERS ||
100% GUARANTEED PASS
<NEWEST VERSION>
1. Pen Test - Testing (1:60) - ANSWER ✔ Conducting actual test
2. Pen test Inventory, Recording, & Collaboration (1:108) - ANSWER ✔ Some
testers use a wiki, while others use the Dradis tool which is designed for
collaborative recording and analysis among a group of testers. Magic tree is
also another tool that can be used
3. Pen Test Preparation (1:60) - ANSWER ✔ Could include signing an NDA
between all parties involved. Discuss significant concerns within the test
network. Discuss and agree on ROE.Need to ensure you have official,
written permission from the network owner/organization, even if it's internal
testing
4. Pen Testing Framework (1:29) - ANSWER ✔ Provides step-by-step
walkthrough of every aspect of a network pen test, including specific tools.
5. Pen testing from the cloud (1:82) - ANSWER ✔ Some testers utilize Cloud
based platforms as their attack platforms. Must follow provider's terms of
service when conducting any testing. Some use these platforms for network
, scanning and password cracking utilizing "rented" equipement. Some
providers are more likely to allow IP addresses inbound from CSP
6. Pen Testing the Cloud (1:81) - ANSWER ✔ A complete understanding of
the test environment is required. This will also identify any potential third
party infrastructure. You must obtain permission from the platform provider
to conduct testing
7. Penetration Testing (1:12) - ANSWER ✔ modeling the techniques used by
real-world computer attackers to find vulnerabilities, and under controlled
circumstances, to exploit those flaws in a professional safe manner,
according to designed scop and Rules of engagement to determine business
risk and potential impact, IOT to improve company security policies
8. Penetration Testing (1:9) - ANSWER ✔ model the activities of real world
threats to discover vulnerabilities, then through controlled exploitation,
attempt to determine business risk, and recommend appropriate defenses
9. Scapy: Sending/Receiving Example (2:89) - ANSWER ✔
10.Scapy: Setting Port ranges & TCP Control Bits (2:85) - ANSWER ✔ You
can also specify port ranges by using parentheses around the start port
comma end port. Scapy provides the ability specify TCP Control bits using
the appropriate letters from CEUAPRSF depending on the control bit
combinations you want to set
11.Scapy: Sniffing and reading packets (2:92) - ANSWER ✔ Use the sniff(),
which is not super fast can be used to sniff network traffic. You may miss
some packets/traffic. Instead of pulling packets from a NIC with sniff()
Scapy can read them from a packet capture file using rdpcap(). Scapy can
, write packets into a pcap file using the wrppcap()call, where we can provide
a filename and the packets we want to write.. Scapy can also invoke
Wireshark from the Scapy Python prompt
12.Scapy: Specifying Dest Addresses (2:84) - ANSWER ✔ Scapy provides the
ability to specify destination IP addresses. In addition to specific IP
addresses, Scapy also supports CIDR notation. This provides Scapy the
ability to send the same packet structure to multiple targets
13.Scheduling a Job: The AT and SCHTASKS Commands (4:49) - ANSWER
✔ One of the most common methods for scheduling a job to run in the near
future on a remote Windows machine, you can use the at and schtasks; at is
simple, clean and has easy-to-remember syntax. It's limited in that it runs all
jobs as local SYSTEM, and cannot designate a user acct. The schtasks is
more complex, but supports running jobs as individual users or as local
SYSTEM ***See page for syntax**
14.Schroeder, Will (3:68) - ANSWER ✔ developed Veil Framework
15.Scope Creep (1:78) - ANSWER ✔ a misunderstanding of what should be
tested leads the target organization to add more systems, target
networks/types, and types of testing to the test as it proceeds, and dangerous
and costly proposition for a tester.
16.Which of the following correctly defines the Nmap Scripting Engine
"intrusive" category?
Detects network-accessible backdoors
Looks for a vulnerability
, Detects the version of a target's services
May leave logs, guess passwords, or otherwise impact the target - ANSWER
✔ May leave logs, guess passwords, or otherwise impact the target
17.After scanning a network, a penetration tester has a list of open ports to be
investigated. Which Nmap feature can be used to probe the target machine
and determine what software is actually listening on those ports?
TCP connect scan
Version scanning
UDP port scan
TCP SYN scan - ANSWER ✔ Version scanning
18.Which of the following is a tool that operates as a backdoor, running on a
DC in memory, and allows a secondary password to access any account?
Golden Ticket
Trojan Key
Silver Ticket
