SANS SEC401 MODULE EXAM SCRIPT 2026
FULL QUESTIONS AND CORRECT ANSWERS
ALREADY PASSED
◉ What tcpdump flag allows us to turn off hostname and port
resolution? Answer: -nn
◉ What TCP flag is the only one set when initiating a connection?
Answer: SYN
◉ Which tool from the aircrack-ng suite captures wireless frames?
Answer: airodump-ng
◉ To crack WPA, you must capture a valid WPA handshake? Answer:
True
◉ What is the keyspace associated with WEP IVs? Answer: 2^
◉ What user account is part of Windows Resource Protection? Answer:
TrustedInstaller
,◉ What is the file system location where DLL files are stored? Answer:
System32
◉ What command is used to launch the graphical PowerShell ISE
editor? Answer: powershell_ise.exe
◉ What keyboard do we look for in secedit.exe log files to find
mismatches? Answer: Mismatch
◉ What command is used to open a text file in the PowerShell ISE
editor? Answer: ise
◉ What PowerShell commands show processes and services Answer:
Get-Process and Get-Service
◉ What PowerShell command can export objects to a CSV text file?
Answer: Export-Csv
◉ What PowerShell command strips away properties we don't care
about? Answer: Select-Object
◉ What is the file used by John the Ripper to store cracked passwords?
Answer: john.pot
,◉ What password cracking method uses GECOS information? Answer:
Single
◉ True or False: John the Ripper can crack any password within 2 days?
Answer: False
◉ What Cisco password type were we easily able to decode with Cain?
Answer: Type-7
◉ What is the name of the password database on Windows? Answer:
SAM Database
◉ What Windows hash type did we crack with Cain and Abel? Answer:
NT or NTLM
◉ What Nmap option enables you to write results in XML format?
Answer: -oX
◉ Which Nmap scan type performs a Stealth Scan? Answer: -sS
◉ In what language are NSE scripts written? Answer: Lua
◉ What is the name of the tool we used to display text from the
program? Answer: strings
, ◉ What message did we get during the buffer overflow? Answer:
Segmentation fault
◉ What do we prepend to a program to ensure it runs from the current
folder? Answer: ./
◉ What is the name of the function enabling this command injection
bug? Answer: system
◉ True or False? You need to use the | symbol to append on an
additional command? Answer: False
◉ What command did you use to go to the restricted shell? Answer:
rbash
◉ Which hping3 option performs IP source address spoofing? Answer: -
a
◉ True or False? hping3 can transfer files covertly? Answer: True
◉ Using the "-t" flag with hping3, what can we set the value for?
Answer: TTL
FULL QUESTIONS AND CORRECT ANSWERS
ALREADY PASSED
◉ What tcpdump flag allows us to turn off hostname and port
resolution? Answer: -nn
◉ What TCP flag is the only one set when initiating a connection?
Answer: SYN
◉ Which tool from the aircrack-ng suite captures wireless frames?
Answer: airodump-ng
◉ To crack WPA, you must capture a valid WPA handshake? Answer:
True
◉ What is the keyspace associated with WEP IVs? Answer: 2^
◉ What user account is part of Windows Resource Protection? Answer:
TrustedInstaller
,◉ What is the file system location where DLL files are stored? Answer:
System32
◉ What command is used to launch the graphical PowerShell ISE
editor? Answer: powershell_ise.exe
◉ What keyboard do we look for in secedit.exe log files to find
mismatches? Answer: Mismatch
◉ What command is used to open a text file in the PowerShell ISE
editor? Answer: ise
◉ What PowerShell commands show processes and services Answer:
Get-Process and Get-Service
◉ What PowerShell command can export objects to a CSV text file?
Answer: Export-Csv
◉ What PowerShell command strips away properties we don't care
about? Answer: Select-Object
◉ What is the file used by John the Ripper to store cracked passwords?
Answer: john.pot
,◉ What password cracking method uses GECOS information? Answer:
Single
◉ True or False: John the Ripper can crack any password within 2 days?
Answer: False
◉ What Cisco password type were we easily able to decode with Cain?
Answer: Type-7
◉ What is the name of the password database on Windows? Answer:
SAM Database
◉ What Windows hash type did we crack with Cain and Abel? Answer:
NT or NTLM
◉ What Nmap option enables you to write results in XML format?
Answer: -oX
◉ Which Nmap scan type performs a Stealth Scan? Answer: -sS
◉ In what language are NSE scripts written? Answer: Lua
◉ What is the name of the tool we used to display text from the
program? Answer: strings
, ◉ What message did we get during the buffer overflow? Answer:
Segmentation fault
◉ What do we prepend to a program to ensure it runs from the current
folder? Answer: ./
◉ What is the name of the function enabling this command injection
bug? Answer: system
◉ True or False? You need to use the | symbol to append on an
additional command? Answer: False
◉ What command did you use to go to the restricted shell? Answer:
rbash
◉ Which hping3 option performs IP source address spoofing? Answer: -
a
◉ True or False? hping3 can transfer files covertly? Answer: True
◉ Using the "-t" flag with hping3, what can we set the value for?
Answer: TTL
