CNSP Certified Network Security Practitioner (CNSP) Question and Answers

The LinuxFilesystem Hierarchy Standard (FHS), per FHS 3.0, defines directory purposes:

/mnt:Designated fortemporarily mounted filesystems, typically by system administrators.

Use: Mount points for removable media (e.g., USB drives: mount /dev/sdb1 /mnt/usb) or network shares (e.g., NFS).

Nature: Transient, user-managed, not persistent across reboots (unlike /etc/fstab mounts).

Contrast:

/media:Auto-mounts removable devices (e.g., by desktop environments like GNOME).

/mnt vs. /media:/mnt is manual, /media is system-driven.

Technical Details:

Empty by default; subdirectories (e.g., /mnt/usb) are created as needed.

Permissions: Typically root-owned (0755), requiring sudo for mounts.

Security Implications:Misconfigured /mnt mounts (e.g., world-writable) risk unauthorized access. CNSP likely covers mount security (e.g., nosuid option).

Why other options are incorrect:

B. System config/init scripts:Found in /etc (e.g., /etc/passwd, /etc/init.d).

C. Driver modules:Located in /lib/modules/.

D. Kernel state:Resides in /proc (e.g., /proc/cpuinfo).

Real-World Context:Admins mount ISOs at /mnt during server provisioning (e.g., mount -o loop image.iso /mnt).References:CNSP Official Study Guide (Linux Filesystems); FHS 3.0 Documentation.

TCP’sthree-way handshake, per RFC 793, establishes a connection:

Client → Server:SYN (Synchronize) packet (e.g., port 80).

Server → Client:SYN-ACK (Synchronize-Acknowledge) packet if the port is open and listening.

Client → Server:ACK (Acknowledge) completes the connection.

Scenario:Anopen TCP port(e.g., 80 for HTTP) with no firewall. When a client sends a SYN to an open port (e.g., via telnet 192.168.1.1 80), the server responds with aSYN-ACKpacket, indicating willingness to connect. No firewall means no filtering alters this standard response.

Packet Details:

SYN-ACK: Sets SYN and ACK flags in the TCP header, with a sequence number and acknowledgment number.

Example: Client SYN (Seq=100), Server SYN-ACK (Seq=200, Ack=101).

Security Implications:Open ports responding with SYN-ACK are easily detected (e.g., Nmap “open” state), inviting exploits if unneeded (e.g., Telnet on 23). CNSP likely stresses port minimization and monitoring.

Why other options are incorrect:

A. A FIN and an ACK packet:FIN-ACK closes an established connection, not a response to a new SYN.

B. A SYN packet:SYN initiates a connection from the client, not a server response.

D. A RST and an ACK packet:RST-ACK rejects a connection (e.g., closed port), not an open one.

Real-World Context:SYN-ACK from SSH (22/TCP) confirms a server’s presence during reconnaissance.References:CNSP Official Documentation (TCP/IP Fundamentals); RFC 793 (TCP).

DDoS (Distributed Denial of Service) attacks aim to overwhelm a target’s resources with excessive traffic, disrupting availability, whereas other attack types target different goals.

Why D is correct:Brute force attacks focus on guessing credentials (e.g., passwords) to gain unauthorized access, not on denying service. CNSP classifies it as an authentication attack, not a DDoS method.

Why other options are incorrect:

A:SYN Flood exhausts TCP connection resources, a classic DDoS attack.

B:NTP Amplification leverages amplified responses to flood targets, a DDoS technique.

C:UDP Flood overwhelms a system with UDP packets, another DDoS method.

References:CNSP "DDoS Attack Types" (Section on Attack Classification) excludes brute force from DDoS categories, listing SYN, NTP, and UDP floods as examples.

The Active Directory (AD) database on Windows domain controllers contains critical directory information, stored in a specific file format.

Why D is correct:The NTDS.DIT file (NT Directory Services Directory Information Tree) is the Active Directory database file, located in C:\Windows\NTDS\ on domain controllers. It stores all AD objects (users, groups, computers) and schema data in a hierarchical structure. CNSP identifies NTDS.DIT as the key file for AD data extraction in securityaudits.

Why other options are incorrect:

A. NTDS.DAT:Not a valid AD database file; may be a confusion with other system files.

B. NTDS.MDB:Refers to an older Microsoft Access database format, not used for AD.

C. MSAD.MDB:Not a recognized file for AD; likely a misnomer.

References:CNSP "Windows Active Directory Security" (Section on Database Files) confirms NTDS.DIT as the Active Directory database file.

The prefix $2a$ identifies thebcrypthashing algorithm, which is based on the Blowfish symmetric encryption cipher (developed by Bruce Schneier). Bcrypt is purpose-built for password hashing, incorporating:

Salt:A random string (e.g., 22 Base64 characters) to thwart rainbow table attacks.

Work Factor:A cost parameter (e.g., $2a$10$ means 2^10 iterations), making it computationally expensive to brute-force.

Format:$2a$[cost]$[salt][hash]

Example: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

$2a$: Bcrypt variant (original is $2$; $2a$ fixes a minor bug).

$10$: 1024 iterations.

Next 22 characters: Salt.

Remaining: Hashed password.

Used in /etc/shadow on Linux, bcrypt’s adaptive nature ensures it remains secure as hardware improves. CNSP likely includes it in cryptography modules for its strength over older algorithms like MD5.

Why other options are incorrect:

B. SHA256:Part of the SHA-2 family, outputs a 64-character hexadecimal string (e.g., e3b0c442...), no $ prefix. It’s faster, less suited for passwords.

C. MD5:Produces a 32-character hex string (e.g., d41d8cd9...), no prefix. It’s cryptographically broken (collisions found).

D. SHA512:SHA-2 variant, 128-character hex (e.g., cf83e135...), no $ prefix, not salted by default.

Real-World Context:Bcrypt protects SSH keys and web app passwords (e.g., in PHP’s password_hash()).References:CNSP Official Documentation (Cryptography); Bcrypt Specification, RFC 1321 (MD5).

Protocols are defined by their transport layer usage (TCP or UDP), impacting their security and performance characteristics.

Why D is correct:SSH (Secure Shell) uses TCP (port 22) for reliable, connection-oriented communication, unlike the UDP-based options. CNSP contrasts TCP and UDP protocol security.

Why other options are incorrect:

A:SNMP uses UDP (ports 161, 162) for lightweight network management.

B:NTP uses UDP (port 123) for time synchronization.

C:IKE (IPsec key exchange) uses UDP (ports 500, 4500).

References:CNSP "Network Protocols" (Section on Transport Layer) identifies SSH as TCP-based, others as UDP.

The EICAR test file is a standardized tool in security testing, designed for a specific purpose.

Why A is correct:The EICAR file (a 68-byte string) triggers antivirus detection without harm, testing response capabilities. CNSP recommends it for AV validation.

Why B is incorrect:It has no role in testing encryption; it’s solely for AV functionality.

References:CNSP "Antivirus Testing" (Section on EICAR) describes its use for AV response verification.

Online attacks require real-time interaction with a target system (e.g., a login interface), whereas offline attacks occur without direct system interaction, typically after obtaining data like password hashes. A rainbow table attack is an offline method that uses precomputed tables of hash values to reverse-engineer passwords from stolen hash databases, distinguishing it from the other options, which are online.

Why B is correct:Rainbow table attacks are performed offline after an attacker has already acquired a hash (e.g., from a compromised database). The attacker matches the hash against precomputed tables to find the plaintext password, requiring no interaction with the target system during the attack. CNSP classifies this as an offline password recovery technique.

Why other options are incorrect:

A:Brute force attacks involve repeatedly submitting password guesses to a live system (e.g., via SSH or a web login), making it an online attack.

C:Password spraying attacks test a few common passwords across many accounts on a live system, also an online attack aimed at avoiding lockouts.

D:Phishing attacks trick users into submitting credentials through fake interfaces (e.g., emails or websites), requiring real-time interaction and thus classified as online.

References:CNSP "Password Attack Methodologies" (Section on Online vs. Offline Attacks) defines rainbow table attacks as offline and contrasts them with online methods like brute force and phishing.

An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4’s 32-bit scheme, vastly expanding address space (2^128 vs. 2^32). Anoctetis 8 bits (1 byte). To calculate octets in IPv6:

128 bits ÷ 8 bits/octet =16 octets.

Representation:

IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), separated by colons.

Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.

Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).

Technical Note:Your original input flagged this question’s phrasing as potentially misleading, suggesting "octets" is an IPv4 term, while IPv6 uses "16-bit groups" or "hextets." While technically accurate (RFC 4291 uses "16-bit blocks"), "octets" remains a common, if informal, term in security contexts for byte-wise analysis (e.g., packet crafting). CNSP might use "octets" to test byte-level understanding, though "groups" is more precise for IPv6. Here, 16 octets (128 bits) is correct either way.

Security Implications:IPv6’s larger address space complicates scanning (e.g., Nmap struggles with 2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP). Understanding its structure aids in firewall rules and IDS signatures.

Why other options are incorrect:

B. 32:Implies 256 bits (32 × 8), far exceeding IPv6’s 128-bit design.

C. 64:Suggests 512 bits (64 × 8), unrelated to IPv6 or any IP standard.

D. 128:Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets.

Real-World Context:IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw data inspection.References:CNSP Official Documentation (IPv6 Networking); RFC 4291 (IP Version 6 Addressing Architecture).

The Windows Registry is a hierarchical database storing system and application settings, organized into predefined root keys (hives). Only specific names are valid as top-level keys.

Why A is correct:HKEY_LOCAL_MACHINE (HKLM) is a standard root key containing hardware and system-wide configuration data. CNSP references it for security settings analysis (e.g., auditing policies).

Why other options are incorrect:

B:HKEY_INTERNAL_CONFIG is not a valid key; no such hive exists.

C:HKEY_ROOT_CLASSES is a misspelling; the correct key is HKEY_CLASSES_ROOT (HKCR).

D:HKEY_LOCAL_USER is incorrect; the valid key is HKEY_CURRENT_USER (HKCU).

References:CNSP "Windows Registry Security" (Section on Registry Structure) lists HKEY_LOCAL_MACHINE as a valid hive, detailing its role in system configuration.

In Unix-based systems, memory is divided into two primary regions: kernel space and user space, each serving distinct purposes for process execution and system stability.

Why B is correct:Daemon processes are background services (e.g., sshd, cron) that run with elevated privileges but operate in user space. User space is the memory area allocated for user applications and processes, isolated from kernel space to prevent direct hardware access or system crashes. CNSP highlights that daemons run in user space to maintain system integrity, interacting with the kernel via system calls.

Why other option is incorrect:

A. Kernel space:Kernel space is reserved for the operating system kernel and device drivers, which have unrestricted access to hardware. Running daemons in kernel space would pose significant security and stability risks, and it is not the standard practice in Unix systems.

References:CNSP "Unix Process Management" (Section on Memory Spaces) explains the separation of kernel and user space, noting that daemons execute in user space for security reasons.

Kerberos is the default authentication protocol in Windows Active Directory environments, andtickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.

Why A is correct:Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.

Why other options are incorrect:

B:Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.

C:Netsh manages network configurations, not Kerberos tickets.

D:"Kerberos Manager" is not a recognized built-in Windows utility; it’s a fictitious name.

References:CNSP "Authentication Protocols" (Section on Kerberos) identifies Klist as the built-in tool for ticket verification, contrasting it with deprecated or external tools.

ASilver Ticketis a forged KerberosService Ticket (TGS - Ticket Granting Service)in ActiveDirectory, granting access to a specific service (e.g., MSSQL, CIFS) without KDC interaction. Unlike a Golden Ticket (TGT forgery), it requires:

Service Account’s NTLM Hash:The target service’s account (e.g., MSSQLSvc) hash, not a ticket.

Forgery: Tools like Mimikatz craft the TGS (e.g., kerberos::golden /service: /user: /ntlm:).

Kerberos Flow (RFC 4120):

TGT (Ticket-Granting Ticket): Obtained via AS (Authentication Service) with user creds.

TGS: Requested from TGS (Ticket Granting Service) using TGT for service access.

Silver Ticket Process:

No TGT needed; the attacker mimics the TGS step using the service account’s stolen hash (e.g., from a compromised host).

C. Service Account Ticket:Misnomer—it’s the hash of the service account (e.g., MSSQLSvc) that enables forgery, not a pre-existing ticket. CNSP’s phrasing likely tests this nuance.

Security Implications:Silver Tickets are stealthier than Golden Tickets (service-specific, shorter-lived). CNSP likely stresses hash protection (e.g., LAPS) and Kerberos monitoring.

Why other options are incorrect:

A. Session Ticket:Not a Kerberos term; confuses session keys.

B. TGT:Used for Golden Tickets, not Silver.

D:Incorrect; the service account’s hash (implied by “ticket”) is essential.

Real-World Context:Silver Tickets exploited in APT29 attacks (2020 SolarWinds) for lateral movement.References:CNSP Official Documentation (Kerberos Attacks); RFC 4120 (Kerberos).

SNMP (Simple Network Management Protocol) uses community strings as a basic form of authentication. The default read-only community string "public" is widely known, and if leftunchanged, it exposes devices to unauthorized access. The primary risk with "public" is information disclosure, as it typically grants read-only access, allowing attackers to gather sensitive data (e.g., device configurations, network topology) without altering settings.

Why A is correct:With the "public" string, an attacker can use tools like snmpwalk to enumerate device details (e.g., system uptime, interfaces, or software versions) via SNMP queries. This aligns with CNSP’s focus on reconnaissance risks during security audits, emphasizing the danger of default credentials enabling passive data collection.

Why other options are incorrect:

B:While modifying settings is a risk with SNMP, the default "public" string is typically read-only. Changing configurations requires a read-write community string (e.g., "private"), which isn’t implied here. Thus, snmpset would not work with "public" alone.

C:Since B is incorrect in this context, C (both A and B) cannot be the answer.

D:The risk in A is valid, so "none of the above" is incorrect.

References:CNSP "Network Device Security" (Section on SNMP Security) highlights the reconnaissance risk of default "public" strings and tools like snmpwalk for exploitation, distinguishing read-only from read-write access.

Microsoft SQL Server (MSSQL) relies on specific ports for its core services, as defined by Microsoft and registered with IANA:

1433/TCP:The default port for the SQL Server Database Engine. Clients connect here for querying databases (e.g., via ODBC or JDBC). It’s a well-known port, making it a frequent target for attacks if exposed.

1434/UDP:Used by theSQL Server Browser Service, which listens for incoming requests and redirects clients to the correct port/instance (especially for named instances). It’s critical for discovering dynamic ports when 1433 isn’t used.

1434/TCP:Less commonly highlighted but used in some configurations, such as dedicated admin connections (DAC) or when the Browser Service responds over TCP for specific instances. While 1433/TCP is the primary engine port, 1434/TCP can be involved in multi-instance setups.

Technical Details:

Ports can be customized (e.g., via SQL Server Configuration Manager), but these are defaults.

Named instances often use dynamic ports (allocated from the ephemeral range), with the Browser Service (1434/UDP) guiding clients to them.

Firewalls must allow these ports for MSSQL to function externally, posing risks if not secured (e.g., brute-force attacks on 1433/TCP).

Security Implications:CNSP likely covers MSSQL port security, as vulnerabilities like SQL Slammer (2003) exploited 1434/UDP misconfigurations. Hardening includes restricting access, changing defaults, and monitoring traffic.

Why other options are incorrect:

A. 1433/TCP, 2433/UDP, 3433/TCP:2433/UDP and 3433/TCP are not MSSQL standards; they’re likely typos or unrelated ports.

C. 1433/TCP, 2433/UDP, 1434/TCP:2433/UDP is incorrect; 1434/UDP is the Browser Service port.

D. 1533/TCP, 1434/UDP, 2434/TCP:1533/TCP and 2434/TCP aren’t associated with MSSQL; they deviate from documented defaults.

Real-World Context:Tools like netstat -an | find "1433" on Windows confirm MSSQL’s port usage during audits.References:CNSP Official Documentation (Database Security and Ports); Microsoft SQL Server Documentation, IANA Port Registry.