CNSP Certified Network Security Practitioner (CNSP) Questions and Answers

The net localgroup command manages local group memberships on Windows systems, with syntax dictating its action.

Why B is correct:net localgroup Sales Sales_domain /add adds the domain group Sales_domain to the local group Sales, granting its members local group privileges. CNSP covers this for privilege escalation testing.

Why other options are incorrect:

A:Displaying users requires net localgroup Sales without /add.

C:Adding a user requires a username, not a group name like Sales_domain.

D:The reverse (local to domain) uses net group, not net localgroup.

References:CNSP "Windows Group Management" (Section on net Commands) explains net localgroup for adding domain groups.

EternalBlue(MS17-010) is an exploit targeting a buffer overflow in Microsoft’s SMB (Server Message Block) implementation, leaked by the Shadow Brokers in 2017. SMB enables file/printer sharing:

SMBv1 (1980s):Legacy, used in Windows NT/XP.

SMBv2 (2006, Vista):Enhanced performance/security.

SMBv3 (2012, Windows 8):Adds encryption, multichannel.

Vulnerability:

EternalBlue exploits a flaw inSMBv1’s SRVNET driver (srv.sys), allowing remote code execution via crafted packets. Microsoft patched it in March 2017 (MS17-010).

Affected OS: Windows XP to Server 2016 (pre-patch), if SMBv1 enabled.

Proof: WannaCry/NotPetya used it, targeting port 445/TCP.

Version Scope:

SMBv1 Only:The bug resides in SMBv1’s packet handling (e.g., TRANS2 requests). SMBv2/v3 rewrote this code, immune to the specific overflow.

Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).

Security Implications:CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as EternalBlue remains a threat in legacy environments.

Why other options are incorrect:

B, C:SMBv2/v3 aren’t vulnerable; the flaw is SMBv1-specific.

D:SMBv2 isn’t affected, only SMBv1.

Real-World Context:WannaCry’s 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing billions.References:CNSP Official Documentation (Windows Exploits); Microsoft MS17-010 Bulletin.

SSH (Secure Shell), per RFC 4251, uses asymmetric cryptography (e.g., RSA, ECDSA) for secure authentication:

Key Pair:

Public Key:Freely shareable, used to encrypt or verify.

Private Key:Secret, used to decrypt or sign.

Process:

User generates a key pair (e.g., ssh-keygen -t rsa -b 4096).

Public Keyis uploaded to the server, appended to ~/.ssh/authorized_keys (e.g., via ssh-copy-id).

Private Key(e.g., ~/.ssh/id_rsa) stays on the user’s machine.

Authentication: Client signs a challenge with the private key; server verifies it with the public key.

Technical Details:

Protocol: SSH-2 (RFC 4253) uses a Diffie-Hellman key exchange, then public-key auth.

Files: authorized_keys (server, 0644 perms), private key (client, 0600 perms).

Security: Private key exposure compromises all systems trusting the public key.

Security Implications:CNSP likely stresses key management (e.g., passphrases, rotation) and server-side authorized_keys hardening (e.g., PermitRootLogin no).

Why other options are incorrect:

B:Uploading the private key reverses the model, breaking security—anyone with the server’s copy could authenticate as the user. Asymmetric crypto relies on the private key remaining secret.

Real-World Context:GitHub uses SSH public keys for repository access, with private keys on user devices.References:CNSP Official Documentation (SSH Security); RFC 4253 (SSH Authentication Protocol).

UDP is a connectionless protocol, and its behavior when a packet reaches a port depends on whether the port is open or closed. Without a firewall altering the response, the standard protocol applies.

Why A is correct:When a UDP packet is sent to a closed port, the host typically responds with an ICMP Type 3 (Destination Unreachable), Code 3 (Port Unreachable) message, indicating no service is listening. CNSP notes this as a key indicator in port scanning.

Why other options are incorrect:

B:RST packets are TCP-specific, not used in UDP.

C:No response occurs for open UDP ports unless an application replies, not closed ports.

D:A is correct, so "none of the above" is invalid.

References:CNSP "Network Scanning Techniques" (Section on UDP Responses) confirms ICMP Port Unreachable as the standard response for closed UDP ports.

The prefix $2a$ identifies thebcrypthashing algorithm, which is based on the Blowfish symmetric encryption cipher (developed by Bruce Schneier). Bcrypt is purpose-built for password hashing, incorporating:

Salt:A random string (e.g., 22 Base64 characters) to thwart rainbow table attacks.

Work Factor:A cost parameter (e.g., $2a$10$ means 2^10 iterations), making it computationally expensive to brute-force.

Format:$2a$[cost]$[salt][hash]

Example: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

$2a$: Bcrypt variant (original is $2$; $2a$ fixes a minor bug).

$10$: 1024 iterations.

Next 22 characters: Salt.

Remaining: Hashed password.

Used in /etc/shadow on Linux, bcrypt’s adaptive nature ensures it remains secure as hardware improves. CNSP likely includes it in cryptography modules for its strength over older algorithms like MD5.

Why other options are incorrect:

B. SHA256:Part of the SHA-2 family, outputs a 64-character hexadecimal string (e.g., e3b0c442...), no $ prefix. It’s faster, less suited for passwords.

C. MD5:Produces a 32-character hex string (e.g., d41d8cd9...), no prefix. It’s cryptographically broken (collisions found).

D. SHA512:SHA-2 variant, 128-character hex (e.g., cf83e135...), no $ prefix, not salted by default.

Real-World Context:Bcrypt protects SSH keys and web app passwords (e.g., in PHP’s password_hash()).References:CNSP Official Documentation (Cryptography); Bcrypt Specification, RFC 1321 (MD5).

Address spoofingfakes a source address (e.g., IP, MAC) to impersonate or amplify attacks. Analyzing protocol resilience:

C. TCP (Transmission Control Protocol):

Mechanism: Three-way handshake (SYN, SYN-ACK, ACK) verifies both endpoints.

Client SYN (Seq=X), Server SYN-ACK (Seq=Y, Ack=X+1), Client ACK (Ack=Y+1).

Spoofing Resistance: Spoofer must predict the server’s sequence number (randomized in modern stacks) and receive SYN-ACK, impractical without session hijacking or MITM.

Correct Implementation: RFC 793-compliant, with anti-spoofing (e.g., Linux tcp_syncookies).

A. UDP:

Connectionless (RFC 768), no handshake. Spoofed packets (e.g., source IP 1.2.3.4) are accepted if port is open, enabling reflection attacks (e.g., DNS amplification).

B. ARP (Address Resolution Protocol):

No authentication (RFC 826). Spoofed ARP replies (e.g., fake MAC for gateway IP) poison caches, enabling MITM (e.g., arpspoof).

D. IP:

No inherent validation at Layer 3 (RFC 791). Spoofed source IPs pass unless filtered (e.g., ingress filtering, RFC 2827).

Security Implications:TCP’s handshake makes spoofing harder, though not impossible (e.g., blind spoofing with sequence prediction, mitigated since BSD 4.4). CNSP likely contrasts this with UDP/IP’s vulnerabilities in DDoS contexts.

Why other options are incorrect:

A, B, D:Lack handshake or authentication, inherently spoofable.

Real-World Context:TCP spoofing was viable pre-1990s (e.g., Mitnick attack); modern randomization thwarts it.References:CNSP Official Documentation (Protocol Security); RFC 793 (TCP), RFC 2827 (BCP 38).

DNS cache poisoning, also known as DNS spoofing, involves an attacker injecting false DNS records into a resolver’s cache, altering how domain names resolve.

Why A is correct:The primary risk is that an attacker can redirect users to maliciouswebsites (e.g., phishing or malware sites) by poisoning the DNS cache with fake IP addresses. This can lead to credential theft, data exfiltration, or malware distribution. CNSP identifies this as the core threat of DNS cache poisoning, aligning with real-world attack vectors.

Why other option is incorrect:

B. Manipulate the cache of the web server or proxy server:This describes web cache poisoning, a different attack targeting HTTP caches, not DNS servers. DNS cache poisoning affects DNS resolution, not web or proxy server caches directly.

References:CNSP "DNS Security Threats" (Section on Cache Poisoning) defines the primary risk as traffic redirection to malicious sites, distinguishing it from web cache manipulation.

Adding a user to a domain group like "Domain Admins" requires the correct command and scope (domain vs. local).

Why A is correct:net group "Domain Admins" John /add /domain adds user John to the domain-level "Domain Admins" group, per CNSP’s domain privilege management.

Why other options are incorrect:

B:net user creates users, not group memberships; syntax is wrong.

C:/admin is invalid; correct group specification is missing.

D:Targets local "Administrator" group, not domain "Domain Admins".

References:CNSP "Domain Administration" (Section on net Commands) validates net group with /domain.

ICMP (Internet Control Message Protocol), per RFC 792, handles diagnostics (e.g., ping) and errors in IP networks. It’s exploitable in:

A. Ping of Death:

Method: Sends oversized ICMP Echo Request packets (>65,535 bytes) via fragmentation. Reassembly overflows buffers, crashing older systems (e.g., Windows 95).

Fix: Modern OSes cap packet size (e.g., ping -s 65500).

B. Smurf Attack:

Method: Spoofs ICMP Echo Requests to a network’s broadcast address (e.g., 192.168.255.255). All hosts reply, flooding the victim.

Amplification: 100 hosts = 100x traffic.

C. ICMP Flooding:

Method: Overwhelms a target with ICMP Echo Requests (e.g., ping -f), consuming bandwidth/CPU.

Variant: BlackNurse attack targets firewalls.

Technical Details:

ICMP Type 8 (Echo Request), Type 0 (Echo Reply) are key.

Mitigation: Rate-limit ICMP, disable broadcasts (e.g., no ip directed-broadcast).

Security Implications:ICMP attacks are DoS vectors. CNSP likely teaches filtering (e.g., iptables -p icmp -j DROP) balanced with diagnostics need.

Why other options are incorrect:

A, B, C individually:All are ICMP-based; D is comprehensive.

Real-World Context:Smurf attacks peaked in the 1990s; modern routers block them by default.References:CNSP Official Study Guide (Network Attacks); RFC 792 (ICMP).

Kerberos is the default authentication protocol in Windows Active Directory environments, andtickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.

Why A is correct:Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.

Why other options are incorrect:

B:Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.

C:Netsh manages network configurations, not Kerberos tickets.

D:"Kerberos Manager" is not a recognized built-in Windows utility; it’s a fictitious name.

References:CNSP "Authentication Protocols" (Section on Kerberos) identifies Klist as the built-in tool for ticket verification, contrasting it with deprecated or external tools.

A DNS zone transfer involves replicating the DNS zone data (e.g., all records for a domain) from a primary to a secondary DNS server, requiring a reliable transport mechanism.

Why A is correct:DNS zone transfers use TCP port 53 because TCP ensures reliable,ordered delivery of data, which is critical for transferring large zone files. CNSP notes that TCP is the standard protocol for zone transfers (e.g., AXFR requests), as specified in RFC 5936.

Why other options are incorrect:

B. 53/UDP:UDP port 53 is used for standard DNS queries and responses due to its speed and lower overhead, but it is not suitable for zone transfers, which require reliability over speed.

C. Both 1 and 2:This is incorrect because zone transfers are exclusively TCP-based, not UDP-based.

D. None of the above:Incorrect, as 53/TCP is the correct port for DNS zone transfers.

References:CNSP "DNS Security Practices" (Section on Zone Transfers) specifies TCP port 53 as the protocol for secure and reliable zone transfer operations.

In Unix-based systems (e.g., Linux), the ifconfig command is historically used to configure network interfaces, including changing the Media Access Control (MAC) address of an Ethernet adapter. The correct syntax to set a new MAC address for an interface like eth0 is ifconfig eth0 hw ether AA:BB:CC:DD:EE:FF, where hw specifies the hardware address type (ether for Ethernet), followed by the new MAC address in colon-separated hexadecimal format.

Why A is correct:The hw ether argument is the standard and correct syntax recognized by ifconfig to modify the MAC address. This command temporarily changes the MAC address until the system reboots or the interface is reset, assuming the user has sufficient privileges (e.g., root). CNSP documentation on network configuration and spoofing techniques validates this syntax for testing network security controls.

Why other options are incorrect:

B:hdw is not a valid argument; it’s a typographical error and unrecognized by ifconfig.

C:hdwr is similarly invalid; no such shorthand exists in the command structure.

D:hwr is incorrect; the full keyword hw followed by ether is required for proper parsing.

References:CNSP "Network Interface Configuration" (Section on MAC Address Manipulation) confirms ifconfig eth0 hw ether as the standard command, noting its use in penetration testing for spoofing scenarios.

DDoS (Distributed Denial of Service) attacks aim to overwhelm a target’s resources with excessive traffic, disrupting availability, whereas other attack types target different goals.

Why D is correct:Brute force attacks focus on guessing credentials (e.g., passwords) to gain unauthorized access, not on denying service. CNSP classifies it as an authentication attack, not a DDoS method.

Why other options are incorrect:

A:SYN Flood exhausts TCP connection resources, a classic DDoS attack.

B:NTP Amplification leverages amplified responses to flood targets, a DDoS technique.

C:UDP Flood overwhelms a system with UDP packets, another DDoS method.

References:CNSP "DDoS Attack Types" (Section on Attack Classification) excludes brute force from DDoS categories, listing SYN, NTP, and UDP floods as examples.

In Linux, theSGID (Set Group ID)bit alters execution or directory behavior:

On executables: Runs with the group owner’s permissions (e.g., s in group execute position).

On directories: New files inherit the directory’s group ownership.

Notation: s in group execute field (e.g., -rwxr-sr-x), or S if no execute (e.g., -rwxr-Sr-x).

Analysis:

-rwxr-sr-x (myfile): User: rwx, Group: r-s (SGID), Others: r-x. The s in group execute confirms SGID.

-rwsr-xr-x (myprogram): User: rws (SUID), Group: r-x, Others: r-x. The s is in user execute, not group—no SGID.

-rw-r--r-s (anotherfile): User: rw-, Group: r--, Others: r-s. The s is in others execute, but no x exists, rendering it meaningless (not SGID; could be a typo or sticky bit misapplied).

Security Implications:SGID executables (e.g., /usr/bin/wall) or directories (e.g., /var/local) manage group access. Misuse risks privilege escalation. CNSP likely teaches auditing with find / -perm -g=s.

Why other options are incorrect:

B:SUID, not SGID.

C:No valid SGID; s in others is irrelevant without execute.

D:Only A has SGID.

Real-World Context:SGID on /var/mail ensures mail files inherit the mail group.References:CNSP Official Study Guide (Linux Permissions); Linux File System Documentation.

Port 111/TCP is the default port for the RPC (Remote Procedure Call) portmapper service on Unix systems, which registers and manages RPC services.

Why A is correct:Running rpcinfo -p queries the portmapper to list all registered RPC services, their programs, versions, and associated ports. This is a logical next step during a security audit or penetration test to identify potential vulnerabilities (e.g., NFS or NIS services). CNSP recommends this command for RPC enumeration.

Why other options are incorrect:

B. Telnet to the port to look for a banner:Telnet might connect, but RPC services don’t typically provide a human-readable banner, making this less effective than rpcinfo.

C. Telnet to the port, send "GET / HTTP/1.0" and gather information from the response:Port 111 is not an HTTP service, so an HTTP request is irrelevant and will likely fail.

D. None of the above:Incorrect, as A is a valid and recommended step.

References:CNSP "Unix Service Enumeration" (Section on RPC Services) highlights rpcinfo -p as the standard tool for probing port 111/TCP.