SANS 410 FINAL TEST 2026
QUESTIONS WITH CORRECT
ANSWERS GRADED A+
◍ (Question 1)Analyze the screenshot below, of information gathered during a
penetration test. What is the source of information being displayed. (image)
of robots.txtAn HTTP error from IISAn Apache httpd.conf fileA robots.txt
file from a webserverA file ACL from IIS version 6.
Answer: A robots.txt file from a webserver
◍ "A company encrypts their sensitive data as a matter of policy. To decrypt
the data, the user must use the master password that is provided to all
employees who are approved to view the data. Which type of encryption is
the company using?".
Answer: Symmetric
◍ "Hazel wants to send Lucy an encrypted email message using the RSA
algorithm with a key length of 4,096. What must occur in order for Hazel
and Lucy to encrypt and decrypt their email correspondence?".
Answer: They must share their public keys with each other
◍ (Question 2)Analyze the screenshot below. What type of vulnerability is
being attacked? (image)Windows PowerShell Windows Server service
Internet Explorer Local Security Authority.
Answer: Windows Server service
◍ Which of the following represents a characteristic of an anomaly-based
IDS?.
Answer: It updates its attack database periodically from the vendor
◍ (Question 3)Examine the following Nmap command and results, if the SSH
port was changed to port 23 instead of the default port, why would the
, output not show the results of the NSE script. (image)-sV is needed to do a
Version Scan-p 23 is needed to designate the port to scanPort 23 is reserved
for Telnet only..
Answer: -sV is needed to do a Version Scan(Explanation )The Nmap scan in
the above command only does a TCP Connect scan and does not detect what
is running on the port. It simply checks whether the port is open or not. A
version scan (-sV) is needed in this case for the Nmap scan to realize SSH is
running on port 23 instead of the default Telnet service. Once the script sees
that SSH is running on Port 23, it can detect which protocol is supported. It
is possible in the configuration of services for system administrators to
change the default ports of services to a different port as long as it is free.
By not specifying a port range the Nmap default port list is used in the scan
which contains port 23. -sC is used to run all N SE scripts in the default
category.
◍ The SHA-256 algorithm is applied to two unique documents. The values of
the resulting hashes are the same. What is this knows as?.
Answer: Non-repudiation
◍ TCP's error correction mechanism relies on the sequence number and which
flag?.
Answer: RST
◍ "Of the following policy types, which would address how PII (Personally
Identifiable Information) data is handled?".
Answer: Privacy policy
◍ (Question 5)You are penetration testing a client's DMZ servers. You run out
of time at the client site and decide to continue from your home network.
You have talked with your ISP and ensured that all ports are allowed out
and they are aware of your penetration testing activities. You start a remote
vulnerability scan that includes some application layer exploits that do not
conform to protocol specifications. For some reason the vulnerability
scanner will not run all the scans on the target system. The connection
appears to be fine as you are able to access the client site from your system.
, You test the vulnerability scanner on a system located on your local test
network segment and the scan completes successfully. You investigate the
connection issue and realize that the same vulnerability scan tests fail every
time when connecting out of your network. What is the most likely reason
for the failure?(Answer)Your ISP is rate limiting your connectionAn
application layer firewall is dropping packets that do not conform to
specificationsThe NAT or PAT tables on an IPtables firewall are filling
upThe client site is blocking connections NOT established from their
network IPs.
Answer: An application layer firewall is dropping packets that do not
conform to specifications
◍ How do you determine the appropriate level of protection for an asset?.
Answer: Based on the value
◍ Which of the following layers of the TCP/IP model defines how to access a
specific network topology at the hardware level?.
Answer: Link Layer
◍ Which of the following is a transposition cipher?.
Answer: Rail Fence
◍ The last packet in a graceful teardown of a TCP session has what flags?.
Answer: ACK
◍ Detection without response is useless.
Answer: "Prevention, Detection and Response"
◍ Question 6During the course of a penetration test, the tester wants to
determine the routing relationship between the target company, ISP, and
external networks. Which of the following methods will provide this
information?AnswerPerforming a DNS zone transfer from the company's
main resolver and from a secondary resolver.Gathering the whois
information for the target and the ISP by querying different servers.Sniffing
session data both to and from the Internet to the company
mailserver.Comparing the results of successive traceroute commands run
, from multiple locations.
Answer: Comparing the results of successive traceroute commands run from
multiple locations
◍ "Of all the possible human attack vectors, which is the hardest to train
employees to deal with and identify?".
Answer: Trusted Insider
◍ Question 7Why is Cross Site Request Forgery (XSRF) so dangerous?(
Answer )It launches legitimate requests to authenticate on behalf of a victim
system.It performs legitimate, authenticated requests without the victim's
knowledge.It performs legitimate, unauthenticated requests without the need
for a victim system.It launches devastating DoS attacks that appear to be
legitimate, authenticated requests..
Answer: It performs legitimate, authenticated requests without the victim's
knowledge.
◍ ( Question 8 )Analyze the command output below. What conclusion can be
drawn?user@desktop:~$ sudo nmap -sU 192.168.116.9Starting Nmap 4.53 (
http://insecure.org ) at 2010-10-01 07:27 EDTInteresting ports on
192.168.116.9:Not shown: 1485 closed portsPORT STATE
SERVICE137/udp open|filtered netbios-ns138/udp open|filtered
netbios-dgm5353/udp open zeroconfNmap done: 1 IP address (1 host up)
scanned in 1.556 seconds( Answer )The source system did not get a
response to the packet sent to 137/udp. The target system sent a RST for
port reported as closed.The source system did not respond to any probe
packet.The target system responded with an ICMP unreachable for port
138..
Answer: Incorrect: The source system did not respond to any probe packet.(
Correct Answer )The source system did not get a response to the packet sent
to 137/udp. ( Explanation )During an nmap udp scan, a host may send an
ICMP unreachable for closed UDP ports. If that occurs, then the result will
be that nmap reports the port as closed. If the target does not respond to the
probe packet, the port is reported as open|filtered.
QUESTIONS WITH CORRECT
ANSWERS GRADED A+
◍ (Question 1)Analyze the screenshot below, of information gathered during a
penetration test. What is the source of information being displayed. (image)
of robots.txtAn HTTP error from IISAn Apache httpd.conf fileA robots.txt
file from a webserverA file ACL from IIS version 6.
Answer: A robots.txt file from a webserver
◍ "A company encrypts their sensitive data as a matter of policy. To decrypt
the data, the user must use the master password that is provided to all
employees who are approved to view the data. Which type of encryption is
the company using?".
Answer: Symmetric
◍ "Hazel wants to send Lucy an encrypted email message using the RSA
algorithm with a key length of 4,096. What must occur in order for Hazel
and Lucy to encrypt and decrypt their email correspondence?".
Answer: They must share their public keys with each other
◍ (Question 2)Analyze the screenshot below. What type of vulnerability is
being attacked? (image)Windows PowerShell Windows Server service
Internet Explorer Local Security Authority.
Answer: Windows Server service
◍ Which of the following represents a characteristic of an anomaly-based
IDS?.
Answer: It updates its attack database periodically from the vendor
◍ (Question 3)Examine the following Nmap command and results, if the SSH
port was changed to port 23 instead of the default port, why would the
, output not show the results of the NSE script. (image)-sV is needed to do a
Version Scan-p 23 is needed to designate the port to scanPort 23 is reserved
for Telnet only..
Answer: -sV is needed to do a Version Scan(Explanation )The Nmap scan in
the above command only does a TCP Connect scan and does not detect what
is running on the port. It simply checks whether the port is open or not. A
version scan (-sV) is needed in this case for the Nmap scan to realize SSH is
running on port 23 instead of the default Telnet service. Once the script sees
that SSH is running on Port 23, it can detect which protocol is supported. It
is possible in the configuration of services for system administrators to
change the default ports of services to a different port as long as it is free.
By not specifying a port range the Nmap default port list is used in the scan
which contains port 23. -sC is used to run all N SE scripts in the default
category.
◍ The SHA-256 algorithm is applied to two unique documents. The values of
the resulting hashes are the same. What is this knows as?.
Answer: Non-repudiation
◍ TCP's error correction mechanism relies on the sequence number and which
flag?.
Answer: RST
◍ "Of the following policy types, which would address how PII (Personally
Identifiable Information) data is handled?".
Answer: Privacy policy
◍ (Question 5)You are penetration testing a client's DMZ servers. You run out
of time at the client site and decide to continue from your home network.
You have talked with your ISP and ensured that all ports are allowed out
and they are aware of your penetration testing activities. You start a remote
vulnerability scan that includes some application layer exploits that do not
conform to protocol specifications. For some reason the vulnerability
scanner will not run all the scans on the target system. The connection
appears to be fine as you are able to access the client site from your system.
, You test the vulnerability scanner on a system located on your local test
network segment and the scan completes successfully. You investigate the
connection issue and realize that the same vulnerability scan tests fail every
time when connecting out of your network. What is the most likely reason
for the failure?(Answer)Your ISP is rate limiting your connectionAn
application layer firewall is dropping packets that do not conform to
specificationsThe NAT or PAT tables on an IPtables firewall are filling
upThe client site is blocking connections NOT established from their
network IPs.
Answer: An application layer firewall is dropping packets that do not
conform to specifications
◍ How do you determine the appropriate level of protection for an asset?.
Answer: Based on the value
◍ Which of the following layers of the TCP/IP model defines how to access a
specific network topology at the hardware level?.
Answer: Link Layer
◍ Which of the following is a transposition cipher?.
Answer: Rail Fence
◍ The last packet in a graceful teardown of a TCP session has what flags?.
Answer: ACK
◍ Detection without response is useless.
Answer: "Prevention, Detection and Response"
◍ Question 6During the course of a penetration test, the tester wants to
determine the routing relationship between the target company, ISP, and
external networks. Which of the following methods will provide this
information?AnswerPerforming a DNS zone transfer from the company's
main resolver and from a secondary resolver.Gathering the whois
information for the target and the ISP by querying different servers.Sniffing
session data both to and from the Internet to the company
mailserver.Comparing the results of successive traceroute commands run
, from multiple locations.
Answer: Comparing the results of successive traceroute commands run from
multiple locations
◍ "Of all the possible human attack vectors, which is the hardest to train
employees to deal with and identify?".
Answer: Trusted Insider
◍ Question 7Why is Cross Site Request Forgery (XSRF) so dangerous?(
Answer )It launches legitimate requests to authenticate on behalf of a victim
system.It performs legitimate, authenticated requests without the victim's
knowledge.It performs legitimate, unauthenticated requests without the need
for a victim system.It launches devastating DoS attacks that appear to be
legitimate, authenticated requests..
Answer: It performs legitimate, authenticated requests without the victim's
knowledge.
◍ ( Question 8 )Analyze the command output below. What conclusion can be
drawn?user@desktop:~$ sudo nmap -sU 192.168.116.9Starting Nmap 4.53 (
http://insecure.org ) at 2010-10-01 07:27 EDTInteresting ports on
192.168.116.9:Not shown: 1485 closed portsPORT STATE
SERVICE137/udp open|filtered netbios-ns138/udp open|filtered
netbios-dgm5353/udp open zeroconfNmap done: 1 IP address (1 host up)
scanned in 1.556 seconds( Answer )The source system did not get a
response to the packet sent to 137/udp. The target system sent a RST for
port reported as closed.The source system did not respond to any probe
packet.The target system responded with an ICMP unreachable for port
138..
Answer: Incorrect: The source system did not respond to any probe packet.(
Correct Answer )The source system did not get a response to the packet sent
to 137/udp. ( Explanation )During an nmap udp scan, a host may send an
ICMP unreachable for closed UDP ports. If that occurs, then the result will
be that nmap reports the port as closed. If the target does not respond to the
probe packet, the port is reported as open|filtered.
