Free The SecOps Group CNSP Practice Exam with Questions & Answers

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) port numbers are defined by a 16-bit field in their packet headers, as specified in RFC 793 (TCP) and RFC 768 (UDP). A 16-bit integer ranges from 0 to 65,535, yielding a total of 65,536 possible ports (2^16). However,port 0is universally reserved across both protocols and is not considered "usable" for standard network communication. According to the Internet Assigned Numbers Authority (IANA), port 0 is designated for special purposes, such as indicating an invalid or dynamic port assignment in some systems (e.g., when a client requests an ephemeral port). In practice, operating systems and applications avoid binding to port 0 for listening services, and it’s often used in error conditions or as a placeholder in protocol implementations (e.g., socket programming).

Thus, theusable port rangespans from 1 to 65,535, totaling 65,535 ports. These ports are categorized by IANA into:

Well-Known Ports (0–1023):Reserved for system services (e.g., HTTP on 80/TCP). Note that 0 is still reserved within this range.

Registered Ports (1024–49151):Assigned to user applications.

Dynamic/Ephemeral Ports (49152–65535):Used temporarily by clients.

From a security perspective, understanding the usable port count is critical for firewall configuration, port scanning (e.g., with Nmap), and detecting anomalies (e.g., services binding to unexpected ports). Misconfiguring a system to use port 0 could lead to protocol errors or expose vulnerabilities, though it’s rare. The CNSP curriculum likely emphasizes this distinction to ensure practitioners can accurately scope network security assessments.

Why other options are incorrect:

A. 65536:This reflects the total number of possible ports (0–65535), but it includes the reserved port 0, which isn’t usable for typical TCP/UDP communication. In security contexts, including port 0 in a count could lead to misconfigured rules or scanning errors.

C. 63535:This is an arbitrary number with no basis in the 16-bit port structure. It might stem from a typo or misunderstanding (e.g., subtracting 2000 from 65535 incorrectly), but it’s invalid.

D. 65335:Similarly, this lacks grounding in protocol standards. It could be a miscalculation (e.g., subtracting 200 from 65535), but it doesn’t align with TCP/UDP specifications.

Real-World Context:In penetration testing, tools like Nmap scan ports 1–65535 by default, excluding 0 unless explicitly specified (e.g., -p0-65535), reinforcing that 65,535 is the practical usable count.References:CNSP Official Study Guide (Network Protocols and Ports); RFC 793 (TCP), RFC 768 (UDP), IANA Service Name and Transport Protocol Port Number Registry.

Network segmentation isolates network zones for security, but certain techniques can circumvent these controls, a focus of CNSP penetration testing.

Why D is correct:

A:DNS tunneling encodes data in DNS queries, bypassing segmentation via legitimate DNS traffic.

B:VLAN hopping exploits switch misconfigurations (e.g., double tagging) to access other VLANs.

C:Covert channels use hidden communication paths (e.g., timing channels) to evade segmentation.All are valid techniques per CNSP for testing segmentation controls.

Why other options are incomplete:A, B, or C alone exclude other viable methods, making D the comprehensive answer.

References:CNSP "Penetration Testing Techniques" (Section on Network Segmentation Bypass) lists DNS tunneling, VLAN hopping, and covert channels as effective methods.

Windows stores password hashes in the SAM (Security Account Manager) file, with a consistent location across 32-bit and 64-bit systems.

Why B is correct:The SAM file resides at C:\Windows\System32\config\SAM, locked during system operation for security. CNSP notes this for credential extraction risks.

Why other options are incorrect:

A:System64 does not exist; System32 is used even on 64-bit systems.

C:C:\System64 is invalid; the path starts with Windows.

D:config\System32 reverses the correct directory structure.

References:CNSP "Windows Credential Storage" (Section on SAM) specifies C:\Windows\System32\config\SAM.

SSL/TLS protocols secure network communication, but older versions have vulnerabilities:

SSLv2 (1995):Weak ciphers, no handshake integrity (e.g., MITM via DROWN attack, CVE-2016-0800). Deprecated by RFC 6176 (2011).

SSLv3 (1996):Vulnerable to POODLE (CVE-2014-3566), weak block ciphers (e.g., RC4). Deprecated by RFC 7568 (2015).

TLSv1.0 (1999, RFC 2246):Inherits SSLv3 flaws (e.g., BEAST, CVE-2011-3389), weak CBC ciphers. Deprecated by PCI DSS (2018) and RFC 8996 (2021).

TLSv1.1 (2006, RFC 4346):Improved over 1.0 but lacks modern cipher suites (e.g., AEAD). Deprecated with 1.0 by RFC 8996.

TLSv1.2 (2008, RFC 5246):Secure with strong ciphers (e.g., AES-GCM), widely used today.

TLSv1.3 (2018, RFC 8446):Latest, removes legacy weaknesses, mandatory forward secrecy.

Answer:C (A and B)—SSLv2, SSLv3, TLSv1.0, and TLSv1.1 are unsafe due to exploitable flaws. TLSv1.2 and 1.3 remain secure. CNSP likely aligns with IETF/PCI standards, mandating modern versions.

Why other options are incorrect:

A:Correct but incomplete without B.

B:Correct but incomplete without A.

D:Incorrectly includes TLSv1.2 and 1.3, which are secure and recommended.

Real-World Context:POODLE forced mass SSLv3 disablement in 2014; TLS 1.0/1.1 deprecation hit legacy systems in 2021.References:CNSP Official Documentation (Cryptographic Protocols); RFC 8996 (TLS Deprecation).

TCP (Transmission Control Protocol) ensures reliable, ordered data delivery via a connection-oriented handshake, contrasting with UDP’s lightweight, connectionless approach. Analyzing each service:

C. HTTP (Hypertext Transfer Protocol):Uses TCP (port 80) for web traffic. TCP’s reliability ensures HTML, images, etc., arrive intact. HTTPS (TCP 443) extends this with TLS. RFC 2616 mandates TCP.

A. SNMP (Simple Network Management Protocol):Defaults to UDP (port 161) for monitoring devices. UDP’s speed suits its lightweight queries, though TCP variants exist (rarely used).

B. NTP (Network Time Protocol):Uses UDP (port 123) per RFC 5905. UDP minimizes latency for time sync, tolerating occasional packet loss.

D. IKE (Internet Key Exchange):Part of IPsec, uses UDP (port 500) per RFC 7296. UDP suits its negotiation phase; TCP isn’t standard.

Security Implications:TCP services like HTTP are more prone to state-based attacks (e.g., SYN floods) than UDP counterparts. CNSP likely contrasts TCP vs. UDP in protocol analysis.

Why other options are incorrect:

A, B, D:All default to UDP for efficiency, not TCP’s reliability.

Real-World Context:Firewalls prioritize TCP 80/443 rules for HTTP/HTTPS, while UDP 123 is opened for NTP servers.References:CNSP Official Study Guide (Network Protocols); RFC 2616 (HTTP), RFC 1155 (SNMP).

The net command in Windows is a legacy tool for managing users, groups, and network resources. The subcommand net localgroup displays information about a specified local group on the machine where it’s run. Specifically:

net localgroup administrators lists all members (users and groups) of the local Administrators group on the current computer.

The local Administrators group grants elevated privileges (e.g., installing software, modifying system files) on that machine only, not domain-wide.

Output Example:

Alias name administrators

Comment Administrators have complete and unrestricted access to the computer

Members

-------------------------------------------------------------------------------

Administrator

Domain Admins

The command completed successfully.

Technical Details:

Local groups are stored in the Security Accounts Manager (SAM) database (e.g., C:\Windows\System32\config\SAM).

This differs from domain groups (e.g., Domain Admins), managed via Active Directory.

Security Implications:Enumerating local admins is a reconnaissance step in penetration testing (e.g., to escalate privileges). CNSP likely covers this command for auditing and securing Windows systems.

Why other options are incorrect:

A. List domain admin users for the current domain:This requires net group "Domain Admins" /domain, which queries the domain controller, not the local SAM. net localgroup is strictly local.

Real-World Context:Attackers use this command post-compromise (e.g., via PsExec) to identify privilege escalation targets.References:CNSP Official Documentation (Windows Security Commands); Microsoft Windows Command-Line Reference.

The LinuxFilesystem Hierarchy Standard (FHS), per FHS 3.0, defines directory purposes:

/mnt:Designated fortemporarily mounted filesystems, typically by system administrators.

Use: Mount points for removable media (e.g., USB drives: mount /dev/sdb1 /mnt/usb) or network shares (e.g., NFS).

Nature: Transient, user-managed, not persistent across reboots (unlike /etc/fstab mounts).

Contrast:

/media:Auto-mounts removable devices (e.g., by desktop environments like GNOME).

/mnt vs. /media:/mnt is manual, /media is system-driven.

Technical Details:

Empty by default; subdirectories (e.g., /mnt/usb) are created as needed.

Permissions: Typically root-owned (0755), requiring sudo for mounts.

Security Implications:Misconfigured /mnt mounts (e.g., world-writable) risk unauthorized access. CNSP likely covers mount security (e.g., nosuid option).

Why other options are incorrect:

B. System config/init scripts:Found in /etc (e.g., /etc/passwd, /etc/init.d).

C. Driver modules:Located in /lib/modules/.

D. Kernel state:Resides in /proc (e.g., /proc/cpuinfo).

Real-World Context:Admins mount ISOs at /mnt during server provisioning (e.g., mount -o loop image.iso /mnt).References:CNSP Official Study Guide (Linux Filesystems); FHS 3.0 Documentation.

The Windows Registry is a hierarchical database storing system and application settings, organized into predefined root keys (hives). Only specific names are valid as top-level keys.

Why A is correct:HKEY_LOCAL_MACHINE (HKLM) is a standard root key containing hardware and system-wide configuration data. CNSP references it for security settings analysis (e.g., auditing policies).

Why other options are incorrect:

B:HKEY_INTERNAL_CONFIG is not a valid key; no such hive exists.

C:HKEY_ROOT_CLASSES is a misspelling; the correct key is HKEY_CLASSES_ROOT (HKCR).

D:HKEY_LOCAL_USER is incorrect; the valid key is HKEY_CURRENT_USER (HKCU).

References:CNSP "Windows Registry Security" (Section on Registry Structure) lists HKEY_LOCAL_MACHINE as a valid hive, detailing its role in system configuration.

SSH (Secure Shell), per RFC 4251, uses asymmetric cryptography (e.g., RSA, ECDSA) for secure authentication:

Key Pair:

Public Key:Freely shareable, used to encrypt or verify.

Private Key:Secret, used to decrypt or sign.

Process:

User generates a key pair (e.g., ssh-keygen -t rsa -b 4096).

Public Keyis uploaded to the server, appended to ~/.ssh/authorized_keys (e.g., via ssh-copy-id).

Private Key(e.g., ~/.ssh/id_rsa) stays on the user’s machine.

Authentication: Client signs a challenge with the private key; server verifies it with the public key.

Technical Details:

Protocol: SSH-2 (RFC 4253) uses a Diffie-Hellman key exchange, then public-key auth.

Files: authorized_keys (server, 0644 perms), private key (client, 0600 perms).

Security: Private key exposure compromises all systems trusting the public key.

Security Implications:CNSP likely stresses key management (e.g., passphrases, rotation) and server-side authorized_keys hardening (e.g., PermitRootLogin no).

Why other options are incorrect:

B:Uploading the private key reverses the model, breaking security—anyone with the server’s copy could authenticate as the user. Asymmetric crypto relies on the private key remaining secret.

Real-World Context:GitHub uses SSH public keys for repository access, with private keys on user devices.References:CNSP Official Documentation (SSH Security); RFC 4253 (SSH Authentication Protocol).

ICMP (Internet Control Message Protocol), per RFC 792, handles diagnostics (e.g., ping) and errors in IP networks. It’s exploitable in:

A. Ping of Death:

Method: Sends oversized ICMP Echo Request packets (>65,535 bytes) via fragmentation. Reassembly overflows buffers, crashing older systems (e.g., Windows 95).

Fix: Modern OSes cap packet size (e.g., ping -s 65500).

B. Smurf Attack:

Method: Spoofs ICMP Echo Requests to a network’s broadcast address (e.g., 192.168.255.255). All hosts reply, flooding the victim.

Amplification: 100 hosts = 100x traffic.

C. ICMP Flooding:

Method: Overwhelms a target with ICMP Echo Requests (e.g., ping -f), consuming bandwidth/CPU.

Variant: BlackNurse attack targets firewalls.

Technical Details:

ICMP Type 8 (Echo Request), Type 0 (Echo Reply) are key.

Mitigation: Rate-limit ICMP, disable broadcasts (e.g., no ip directed-broadcast).

Security Implications:ICMP attacks are DoS vectors. CNSP likely teaches filtering (e.g., iptables -p icmp -j DROP) balanced with diagnostics need.

Why other options are incorrect:

A, B, C individually:All are ICMP-based; D is comprehensive.

Real-World Context:Smurf attacks peaked in the 1990s; modern routers block them by default.References:CNSP Official Study Guide (Network Attacks); RFC 792 (ICMP).