CNSP Certified Network Security Practitioner (CNSP) Questions and Answers

In Linux/Unix, theSUID (Set User ID)bit allows a program to execute with the owner’s permissions, typically root, rather than the caller’s. It’s denoted by an s in the user execute field (e.g., -rwsr-xr-x). Common SUID programs perform privileged tasks requiring temporary elevation.

Analysis:

C. /usr/bin/passwd:

Purpose: Updates user passwords in /etc/shadow (root-owned, 0600 perms).

Permissions: Typically -rwsr-xr-x, owned by root. The SUID bit lets non-root users modify shadow securely.

Command: ls -l /usr/bin/passwd confirms SUID (s in user execute).

A. /bin/ls:

Purpose: Lists directory contents, no privileged access needed.

Permissions: -rwxr-xr-x (no SUID).Runs as the calling user.

B. /usr/bin/curl:

Purpose: Transfers data over HTTP/FTP, no root privileges required by default.

Permissions: -rwxr-xr-x (no SUID).

Technical Details:

SUID Bit: Set via chmod u+s or chmod 4755.

Security: SUID binaries are audited (e.g., find / -perm -u=s) due to escalation risks if writable or poorly coded (e.g., buffer overflows).

Security Implications:CNSP likely highlights SUID as an attack vector (e.g., CVE-1996-0095 exploited passwd flaws). Hardening removes unnecessary SUID bits.

Why other options are incorrect:

A, B:Lack SUID; no privileged operations.

D:Incorrect, as /usr/bin/passwd is a SUID example.

Real-World Context:SUID on /bin/su or /usr/bin/sudo similarly enables privilege escalation, often targeted in exploits.References:CNSP Official Documentation (Linux Security); Linux File Permissions Guide.

Port 111/TCP is the default port for the RPC (Remote Procedure Call) portmapper service on Unix systems, which registers and manages RPC services.

Why A is correct:Running rpcinfo -p queries the portmapper to list all registered RPC services, their programs, versions, and associated ports. This is a logical next step during a security audit or penetration test to identify potential vulnerabilities (e.g., NFS or NIS services). CNSP recommends this command for RPC enumeration.

Why other options are incorrect:

B. Telnet to the port to look for a banner:Telnet might connect, but RPC services don’t typically provide a human-readable banner, making this less effective than rpcinfo.

C. Telnet to the port, send "GET / HTTP/1.0" and gather information from the response:Port 111 is not an HTTP service, so an HTTP request is irrelevant and will likely fail.

D. None of the above:Incorrect, as A is a valid and recommended step.

References:CNSP "Unix Service Enumeration" (Section on RPC Services) highlights rpcinfo -p as the standard tool for probing port 111/TCP.

TCP’sthree-way handshake, per RFC 793, establishes a connection:

Client → Server:SYN (Synchronize) packet (e.g., port 80).

Server → Client:SYN-ACK (Synchronize-Acknowledge) packet if the port is open and listening.

Client → Server:ACK (Acknowledge) completes the connection.

Scenario:Anopen TCP port(e.g., 80 for HTTP) with no firewall. When a client sends a SYN to an open port (e.g., via telnet 192.168.1.1 80), the server responds with aSYN-ACKpacket, indicating willingness to connect. No firewall means no filtering alters this standard response.

Packet Details:

SYN-ACK: Sets SYN and ACK flags in the TCP header, with a sequence number and acknowledgment number.

Example: Client SYN (Seq=100), Server SYN-ACK (Seq=200, Ack=101).

Security Implications:Open ports responding with SYN-ACK are easily detected (e.g., Nmap “open” state), inviting exploits if unneeded (e.g., Telnet on 23). CNSP likely stresses port minimization and monitoring.

Why other options are incorrect:

A. A FIN and an ACK packet:FIN-ACK closes an established connection, not a response to a new SYN.

B. A SYN packet:SYN initiates a connection from the client, not a server response.

D. A RST and an ACK packet:RST-ACK rejects a connection (e.g., closed port), not an open one.

Real-World Context:SYN-ACK from SSH (22/TCP) confirms a server’s presence during reconnaissance.References:CNSP Official Documentation (TCP/IP Fundamentals); RFC 793 (TCP).

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) port numbers are defined by a 16-bit field in their packet headers, as specified in RFC 793 (TCP) and RFC 768 (UDP). A 16-bit integer ranges from 0 to 65,535, yielding a total of 65,536 possible ports (2^16). However,port 0is universally reserved across both protocols and is not considered "usable" for standard network communication. According to the Internet Assigned Numbers Authority (IANA), port 0 is designated for special purposes, such as indicating an invalid or dynamic port assignment in some systems (e.g., when a client requests an ephemeral port). In practice, operating systems and applications avoid binding to port 0 for listening services, and it’s often used in error conditions or as a placeholder in protocol implementations (e.g., socket programming).

Thus, theusable port rangespans from 1 to 65,535, totaling 65,535 ports. These ports are categorized by IANA into:

Well-Known Ports (0–1023):Reserved for system services (e.g., HTTP on 80/TCP). Note that 0 is still reserved within this range.

Registered Ports (1024–49151):Assigned to user applications.

Dynamic/Ephemeral Ports (49152–65535):Used temporarily by clients.

From a security perspective, understanding the usable port count is critical for firewall configuration, port scanning (e.g., with Nmap), and detecting anomalies (e.g., services binding to unexpected ports). Misconfiguring a system to use port 0 could lead to protocol errors or expose vulnerabilities, though it’s rare. The CNSP curriculum likely emphasizes this distinction to ensure practitioners can accurately scope network security assessments.

Why other options are incorrect:

A. 65536:This reflects the total number of possible ports (0–65535), but it includes the reserved port 0, which isn’t usable for typical TCP/UDP communication. In security contexts, including port 0 in a count could lead to misconfigured rules or scanning errors.

C. 63535:This is an arbitrary number with no basis in the 16-bit port structure. It might stem from a typo or misunderstanding (e.g., subtracting 2000 from 65535 incorrectly), but it’s invalid.

D. 65335:Similarly, this lacks grounding in protocol standards. It could be a miscalculation (e.g., subtracting 200 from 65535), but it doesn’t align with TCP/UDP specifications.

Real-World Context:In penetration testing, tools like Nmap scan ports 1–65535 by default, excluding 0 unless explicitly specified (e.g., -p0-65535), reinforcing that 65,535 is the practical usable count.References:CNSP Official Study Guide (Network Protocols and Ports); RFC 793 (TCP), RFC 768 (UDP), IANA Service Name and Transport Protocol Port Number Registry.

In Unix-based systems (e.g., Linux), the ifconfig command is historically used to configure network interfaces, including changing the Media Access Control (MAC) address of an Ethernet adapter. The correct syntax to set a new MAC address for an interface like eth0 is ifconfig eth0 hw ether AA:BB:CC:DD:EE:FF, where hw specifies the hardware address type (ether for Ethernet), followed by the new MAC address in colon-separated hexadecimal format.

Why A is correct:The hw ether argument is the standard and correct syntax recognized by ifconfig to modify the MAC address. This command temporarily changes the MAC address until the system reboots or the interface is reset, assuming the user has sufficient privileges (e.g., root). CNSP documentation on network configuration and spoofing techniques validates this syntax for testing network security controls.

Why other options are incorrect:

B:hdw is not a valid argument; it’s a typographical error and unrecognized by ifconfig.

C:hdwr is similarly invalid; no such shorthand exists in the command structure.

D:hwr is incorrect; the full keyword hw followed by ether is required for proper parsing.

References:CNSP "Network Interface Configuration" (Section on MAC Address Manipulation) confirms ifconfig eth0 hw ether as the standard command, noting its use in penetration testing for spoofing scenarios.

The SMB protocol, used for file and printer sharing, has evolved across versions, with significant security enhancements in later iterations.

Why C is correct:SMBv3, introduced with Windows 8 and Server 2012, added native support for encrypting SMB traffic. This feature uses AES-CCM encryption to protect data in transit, addressing vulnerabilities in earlier versions. CNSP notes SMBv3’s encryption as a critical security improvement.

Why other options are incorrect:

A. SMBv1:Lacks encryption support and is considered insecure, often disabled due to vulnerabilities like WannaCry exploitation.

B. SMBv2:Introduces performance improvements but does not support encryption natively.

D. None of the above:Incorrect, as SMBv3 is the version that introduced encryption.

References:CNSP "File Sharing Protocols" (Section on SMB Versions) details SMBv3’s encryption feature, contrasting it with the limitations of SMBv1 and SMBv2.

A DNS zone transfer replicates an entire DNS zone (a collection of DNS records for a domain) from a primary nameserver to a secondary one, typically for redundancy or load balancing. TheAXFR(Authoritative Full Zone Transfer) query type, defined in RFC 1035, facilitates this process. The dig (Domain Information Groper) tool, a staple in Linux/Unix environments, is used to query DNS servers. The correct syntax is:

dig @ axfrHere, dig @10.0.0.1 victim.com axfr instructs dig to request a zone transfer for "victim.com" from the nameserver at 10.0.0.1. The @ symbol specifies the target server, overriding the system’s default resolver.

Technical Details:

The AXFR query is sent over TCP (port 53), not UDP, due to the potentially large size of zone data, which exceeds UDP’s typical 512-byte limit (pre-EDNS0).

Successful execution requires the nameserver to permit zone transfers from the querying IP, often restricted to trusted secondaries via Access Control Lists (ACLs) for security. If restricted, the server responds with a "REFUSED" error.

Security Implications:Zone transfers expose all DNS records (e.g., A, MX, NS), making them a reconnaissance goldmine for attackers if misconfigured. CNSP likely emphasizes securing DNS servers against unauthorized AXFR requests, using tools like dig to test vulnerabilities.

Why other options are incorrect:

A. dig @10.0.0.1 victim.com axrfr:"axrfr" is a typographical error. The correct query type is "axfr." Executing this would result in a syntax error or an unrecognized query type response from dig.

B. dig @10.0.0.1 victim.com afxr:"afxr" is another typo, not a valid DNS query type per RFC 1035. dig would fail to interpret this, likely outputting an error like "unknown query type."

C. dig @10.0.0.1 victim.com arfxr:"arfxr" is also invalid, a jumbled version of "axfr." It holds no meaning in DNS protocol standards and would fail similarly.

Real-World Context:Penetration testers use dig ... axfr to identify misconfigured DNS servers. For example, dig @ns1.example.com example.com axfr might reveal subdomains or internal IPs if not locked down.References:CNSP Official Documentation (DNS Security and Tools); RFC 1035 (Domain Names - Implementation and Specification).

In Windows, security principals (users, groups) are identified by aSecurity Identifier (SID), formatted as S-1-<authority>--. TheRID (Relative Identifier)is the final component, unique within a domain or machine. For local accounts:

RID 500:Assigned to the built-inAdministratoraccount on every Windows machine (e.g., S-1-5-21--500).

Created during OS install, with full system privileges.

Disabled by default in newer Windows versions (e.g., 10/11) unless explicitly enabled.

RID 501:Guest account (e.g., S-1-5-21--501), limited access.

Technical Details:

Stored in SAM (C:\Windows\System32\config\SAM).

Enumeration: Tools like wmic useraccount or net user reveal RIDs.

Domain Context: Domain Admins use RID 512, but the question specifies a local machine.

Security Implications:RID 500 is a prime target for brute-forcing or pass-the-hash attacks (e.g., Mimikatz). CNSP likely advises renaming/disabling it (e.g., via GPO).

Why other options are incorrect:

A. 0:Reserved (e.g., Null SID, S-1-0-0), not a user RID.

C. 501:Guest, not Administrator.

D. 100:Invalid; local user RIDs start at 1000 (e.g., custom accounts).

Real-World Context:Post-compromise, attackers query RID 500 (e.g., net user Administrator) for privilege escalation.References:CNSP Official Study Guide (Windows Security); Microsoft SID Documentation.

The Active Directory (AD) database on Windows domain controllers contains critical directory information, stored in a specific file format.

Why D is correct:The NTDS.DIT file (NT Directory Services Directory Information Tree) is the Active Directory database file, located in C:\Windows\NTDS\ on domain controllers. It stores all AD objects (users, groups, computers) and schema data in a hierarchical structure. CNSP identifies NTDS.DIT as the key file for AD data extraction in securityaudits.

Why other options are incorrect:

A. NTDS.DAT:Not a valid AD database file; may be a confusion with other system files.

B. NTDS.MDB:Refers to an older Microsoft Access database format, not used for AD.

C. MSAD.MDB:Not a recognized file for AD; likely a misnomer.

References:CNSP "Windows Active Directory Security" (Section on Database Files) confirms NTDS.DIT as the Active Directory database file.

Kerberos is the default authentication protocol in Windows Active Directory environments, andtickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.

Why A is correct:Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.

Why other options are incorrect:

B:Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.

C:Netsh manages network configurations, not Kerberos tickets.

D:"Kerberos Manager" is not a recognized built-in Windows utility; it’s a fictitious name.

References:CNSP "Authentication Protocols" (Section on Kerberos) identifies Klist as the built-in tool for ticket verification, contrasting it with deprecated or external tools.

DNS cache poisoning, also known as DNS spoofing, involves an attacker injecting false DNS records into a resolver’s cache, altering how domain names resolve.

Why A is correct:The primary risk is that an attacker can redirect users to maliciouswebsites (e.g., phishing or malware sites) by poisoning the DNS cache with fake IP addresses. This can lead to credential theft, data exfiltration, or malware distribution. CNSP identifies this as the core threat of DNS cache poisoning, aligning with real-world attack vectors.

Why other option is incorrect:

B. Manipulate the cache of the web server or proxy server:This describes web cache poisoning, a different attack targeting HTTP caches, not DNS servers. DNS cache poisoning affects DNS resolution, not web or proxy server caches directly.

References:CNSP "DNS Security Threats" (Section on Cache Poisoning) defines the primary risk as traffic redirection to malicious sites, distinguishing it from web cache manipulation.

The screenshot shows an email labeled "B" with the subject "Verify your email address" purportedly from Apple. To determine if this is a phishing email, we need to analyze its content and characteristics against common phishing indicators as outlined in CNSP documentation. Since option A is not provided in the screenshot, we will evaluate email B and infer the context for A.

Analysis of Email B:

Sender and Branding:The email claims to be from "Apple Support" and includes an Apple logo, which is a common tactic to establish trust. However, phishing emails often impersonate legitimate brands like Apple to deceive users.

Subject and Content:The subject "Verify your email address" and the body requesting the user to verify their email by clicking a link ("Verify Your Email") are typical of phishing attempts. Legitimate companies like Apple may send verification emails, but the tone and context here raise suspicion.

Link Presence:The email contains a clickable link ("Verify Your Email") that is purportedly for email verification. The screenshot does not show the URL, but phishing emails often include malicious links that lead to fake login pages to steal credentials. CNSP emphasizes that unsolicited requests to click links for verification are a red flag.

Urgency and Vague Instructions:The email includes a statement, "If you did not make this change or believe an unauthorized person has accessed your account, click here to cancel and secure your account." This creates a sense of urgency, a common phishing tactic to prompt immediate action without critical thinking.

Generic Greeting:The email starts with "Dear User," a generic greeting often used in phishing emails. Legitimate companies like Apple typically personalize emails with the user’s name.

Suspicious Elements:The email mentions "your Apple ID (example@icloud.com)," which is a placeholder rather than a specific email address, further indicating a mass phishing campaign rather than a targeted, legitimate communication.

Phishing Indicators (per CNSP):CNSP documentation on phishing identification lists several red flags:

Unsolicited requests for verification or account updates.

Generic greetings (e.g., "Dear User" instead of a personalized name).

Presence of links that may lead to malicious sites (not verifiable in the screenshot but implied).

Urgency or threats (e.g., "click here to cancel and secure your account").

Impersonation of trusted brands (e.g., Apple).Email B exhibits multiple indicators: the generic greeting, unsolicited verification request, urgent call to action, and impersonation of Apple.

Option A Context:Since the screenshot only shows email B, and the correct answer is "Only B," we can infer that email A (not shown) does not exhibit phishing characteristics. For example, A might be a legitimate email from Apple with proper personalization, no suspicious links, or a different context (e.g., a purchase confirmation rather than a verification request).

Evaluation of Options:

1. Only A:Incorrect, as email A is not shown, and the correct answer indicates B asthe phishing email.

2. Only B:Correct. Email B shows clear phishing characteristics, such as impersonation, a generic greeting, an unsolicited verification link, and urgency, aligning with CNSP’s phishing criteria.

3. Both A and B:Incorrect, as A is implied to be non-phishing based on the correct answer.

4. None of the above:Incorrect, as B is a phishing email.

Conclusion:Email B is a phishing email due to its impersonation of Apple, generic greeting, unsolicited verification request with a link, and use of urgency to prompt action. Since A is not shown but implied to be non-phishing, the correct answer is "Only B."

References:CNSP "Social Engineering Attacks" (Section on Phishing Identification) lists key phishing indicators such as impersonation, generic greetings, unsolicited links, and urgency, all of which are present in email B. The section also contrasts phishing emails with legitimate communications, emphasizing personalization and context as differentiators.

Windows stores password hashes in the SAM (Security Account Manager) file, with a consistent location across 32-bit and 64-bit systems.

Why B is correct:The SAM file resides at C:\Windows\System32\config\SAM, locked during system operation for security. CNSP notes this for credential extraction risks.

Why other options are incorrect:

A:System64 does not exist; System32 is used even on 64-bit systems.

C:C:\System64 is invalid; the path starts with Windows.

D:config\System32 reverses the correct directory structure.

References:CNSP "Windows Credential Storage" (Section on SAM) specifies C:\Windows\System32\config\SAM.

The LinuxFilesystem Hierarchy Standard (FHS), per FHS 3.0, defines directory purposes:

/mnt:Designated fortemporarily mounted filesystems, typically by system administrators.

Use: Mount points for removable media (e.g., USB drives: mount /dev/sdb1 /mnt/usb) or network shares (e.g., NFS).

Nature: Transient, user-managed, not persistent across reboots (unlike /etc/fstab mounts).

Contrast:

/media:Auto-mounts removable devices (e.g., by desktop environments like GNOME).

/mnt vs. /media:/mnt is manual, /media is system-driven.

Technical Details:

Empty by default; subdirectories (e.g., /mnt/usb) are created as needed.

Permissions: Typically root-owned (0755), requiring sudo for mounts.

Security Implications:Misconfigured /mnt mounts (e.g., world-writable) risk unauthorized access. CNSP likely covers mount security (e.g., nosuid option).

Why other options are incorrect:

B. System config/init scripts:Found in /etc (e.g., /etc/passwd, /etc/init.d).

C. Driver modules:Located in /lib/modules/.

D. Kernel state:Resides in /proc (e.g., /proc/cpuinfo).

Real-World Context:Admins mount ISOs at /mnt during server provisioning (e.g., mount -o loop image.iso /mnt).References:CNSP Official Study Guide (Linux Filesystems); FHS 3.0 Documentation.

Network segmentation isolates network zones for security, but certain techniques can circumvent these controls, a focus of CNSP penetration testing.

Why D is correct:

A:DNS tunneling encodes data in DNS queries, bypassing segmentation via legitimate DNS traffic.

B:VLAN hopping exploits switch misconfigurations (e.g., double tagging) to access other VLANs.

C:Covert channels use hidden communication paths (e.g., timing channels) to evade segmentation.All are valid techniques per CNSP for testing segmentation controls.

Why other options are incomplete:A, B, or C alone exclude other viable methods, making D the comprehensive answer.

References:CNSP "Penetration Testing Techniques" (Section on Network Segmentation Bypass) lists DNS tunneling, VLAN hopping, and covert channels as effective methods.