Buy Latest Nov 13, 2025 CNSP Exam Q&A PDF - One Year Free Update
Download the Latest CNSP Dump - 2025 CNSP Exam Questions
NEW QUESTION # 28
Which of the following is an example of a SUID program?
- A. /usr/bin/passwd
- B. None of the above
- C. /usr/bin/curl
- D. /bin/ls
Answer: A
Explanation:
In Linux/Unix, the SUID (Set User ID) bit allows a program to execute with the owner's permissions, typically root, rather than the caller's. It's denoted by an s in the user execute field (e.g., -rwsr-xr-x). Common SUID programs perform privileged tasks requiring temporary elevation.
Analysis:
C . /usr/bin/passwd:
Purpose: Updates user passwords in /etc/shadow (root-owned, 0600 perms).
Permissions: Typically -rwsr-xr-x, owned by root. The SUID bit lets non-root users modify shadow securely.
Command: ls -l /usr/bin/passwd confirms SUID (s in user execute).
A . /bin/ls:
Purpose: Lists directory contents, no privileged access needed.
Permissions: -rwxr-xr-x (no SUID). Runs as the calling user.
B . /usr/bin/curl:
Purpose: Transfers data over HTTP/FTP, no root privileges required by default.
Permissions: -rwxr-xr-x (no SUID).
Technical Details:
SUID Bit: Set via chmod u+s <file> or chmod 4755.
Security: SUID binaries are audited (e.g., find / -perm -u=s) due to escalation risks if writable or poorly coded (e.g., buffer overflows).
Security Implications: CNSP likely highlights SUID as an attack vector (e.g., CVE-1996-0095 exploited passwd flaws). Hardening removes unnecessary SUID bits.
Why other options are incorrect:
A, B: Lack SUID; no privileged operations.
D: Incorrect, as /usr/bin/passwd is a SUID example.
Real-World Context: SUID on /bin/su or /usr/bin/sudo similarly enables privilege escalation, often targeted in exploits.
NEW QUESTION # 29
Which of the aforementioned SSL/TLS protocols are considered to be unsafe?
- A. SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3
- B. SSLv2 and SSLv3
- C. TLSv1.0 and TLSv1.1
- D. Both A and B
Answer: D
Explanation:
SSL/TLS protocols secure network communication, but older versions have vulnerabilities:
SSLv2 (1995): Weak ciphers, no handshake integrity (e.g., MITM via DROWN attack, CVE-2016-0800). Deprecated by RFC 6176 (2011).
SSLv3 (1996): Vulnerable to POODLE (CVE-2014-3566), weak block ciphers (e.g., RC4). Deprecated by RFC 7568 (2015).
TLSv1.0 (1999, RFC 2246): Inherits SSLv3 flaws (e.g., BEAST, CVE-2011-3389), weak CBC ciphers. Deprecated by PCI DSS (2018) and RFC 8996 (2021).
TLSv1.1 (2006, RFC 4346): Improved over 1.0 but lacks modern cipher suites (e.g., AEAD). Deprecated with 1.0 by RFC 8996.
TLSv1.2 (2008, RFC 5246): Secure with strong ciphers (e.g., AES-GCM), widely used today.
TLSv1.3 (2018, RFC 8446): Latest, removes legacy weaknesses, mandatory forward secrecy.
Why other options are incorrect:
A: Correct but incomplete without B.
B: Correct but incomplete without A.
D: Incorrectly includes TLSv1.2 and 1.3, which are secure and recommended.
Real-World Context: POODLE forced mass SSLv3 disablement in 2014; TLS 1.0/1.1 deprecation hit legacy systems in 2021.
NEW QUESTION # 30
Which of the following files has the SGID permission set?
-rwxr-sr-x 1 root root 4096 Jan 1 08:00 myfile
-rwsr-xr-x 1 root root 4096 Jan 1 00:08 myprogram
-rw-r--r-s 1 root root 4896 Jan 1 00:00 anotherfile
- A. myfile
- B. All of the above
- C. anotherfile
- D. myprogram
Answer: A
Explanation:
In Linux, the SGID (Set Group ID) bit alters execution or directory behavior:
On executables: Runs with the group owner's permissions (e.g., s in group execute position).
On directories: New files inherit the directory's group ownership.
Notation: s in group execute field (e.g., -rwxr-sr-x), or S if no execute (e.g., -rwxr-Sr-x).
Analysis:
-rwxr-sr-x (myfile): User: rwx, Group: r-s (SGID), Others: r-x. The s in group execute confirms SGID.
-rwsr-xr-x (myprogram): User: rws (SUID), Group: r-x, Others: r-x. The s is in user execute, not group-no SGID.
-rw-r--r-s (anotherfile): User: rw-, Group: r--, Others: r-s. The s is in others execute, but no x exists, rendering it meaningless (not SGID; could be a typo or sticky bit misapplied).
Security Implications: SGID executables (e.g., /usr/bin/wall) or directories (e.g., /var/local) manage group access. Misuse risks privilege escalation. CNSP likely teaches auditing with find / -perm -g=s.
Why other options are incorrect:
B: SUID, not SGID.
C: No valid SGID; s in others is irrelevant without execute.
D: Only A has SGID.
Real-World Context: SGID on /var/mail ensures mail files inherit the mail group.
NEW QUESTION # 31
Which SMB (Server Message Block) network protocol versions are vulnerable to the EternalBlue (MS17-010) Windows exploit?
- A. SMBv2 only
- B. Both SMBv1 and SMBv2
- C. SMBv3 only
- D. SMBv1 only
Answer: D
Explanation:
EternalBlue (MS17-010) is an exploit targeting a buffer overflow in Microsoft's SMB (Server Message Block) implementation, leaked by the Shadow Brokers in 2017. SMB enables file/printer sharing:
SMBv1 (1980s): Legacy, used in Windows NT/XP.
SMBv2 (2006, Vista): Enhanced performance/security.
SMBv3 (2012, Windows 8): Adds encryption, multichannel.
Vulnerability:
EternalBlue exploits a flaw in SMBv1's SRVNET driver (srv.sys), allowing remote code execution via crafted packets. Microsoft patched it in March 2017 (MS17-010).
Affected OS: Windows XP to Server 2016 (pre-patch), if SMBv1 enabled.
Proof: WannaCry/NotPetya used it, targeting port 445/TCP.
SMBv1 Only: The bug resides in SMBv1's packet handling (e.g., TRANS2 requests). SMBv2/v3 rewrote this code, immune to the specific overflow.
Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).
Security Implications: CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as EternalBlue remains a threat in legacy environments.
Why other options are incorrect:
B, C: SMBv2/v3 aren't vulnerable; the flaw is SMBv1-specific.
D: SMBv2 isn't affected, only SMBv1.
Real-World Context: WannaCry's 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing billions.
NEW QUESTION # 32
You are performing a security audit on a company's infrastructure and have discovered that the domain name system (DNS) server is vulnerable to a DNS cache poisoning attack. What is the primary security risk?
- A. The primary risk is that an attacker could manipulate the cache of the web server or proxy server to return incorrect content for a specific URL or web page.
- B. The primary risk is that an attacker could redirect traffic to a malicious website and steal sensitive information.
Answer: B
Explanation:
DNS cache poisoning, also known as DNS spoofing, involves an attacker injecting false DNS records into a resolver's cache, altering how domain names resolve.
Why A is correct: The primary risk is that an attacker can redirect users to malicious websites (e.g., phishing or malware sites) by poisoning the DNS cache with fake IP addresses. This can lead to credential theft, data exfiltration, or malware distribution. CNSP identifies this as the core threat of DNS cache poisoning, aligning with real-world attack vectors.
Why other option is incorrect:
B . Manipulate the cache of the web server or proxy server: This describes web cache poisoning, a different attack targeting HTTP caches, not DNS servers. DNS cache poisoning affects DNS resolution, not web or proxy server caches directly.
NEW QUESTION # 33
The Management Information Base (MIB) is a collection of object groups that is managed by which service?
- A. SMTP
- B. TACACS
- C. SNMP
- D. NTP
Answer: C
Explanation:
The Management Information Base (MIB) is a structured database defining manageable objects (e.g., CPU usage, interface status) in a network device. It's part of the SNMP (Simple Network Management Protocol) framework, per RFC 1157, used for monitoring and managing network devices (e.g., routers, switches).
SNMP Mechanics:
MIB Structure: Hierarchical, with Object Identifiers (OIDs) like 1.3.6.1.2.1.1.1.0 (sysDescr).
Ports: UDP 161 (agent), 162 (traps).
Operation: Agents expose MIB data; managers (e.g., Nagios) query it via GET/SET commands.
MIB files (e.g., IF-MIB, HOST-RESOURCES-MIB) are vendor-specific or standardized, parsed by SNMP tools (e.g., snmpwalk). CNSP likely covers SNMP for network monitoring and securing it against enumeration (e.g., weak community strings like "public").
Why other options are incorrect:
A . SMTP (Simple Mail Transfer Protocol): Email delivery (TCP 25), unrelated to MIB or device management.
C . NTP (Network Time Protocol): Time synchronization (UDP 123), not MIB-related.
D . TACACS (Terminal Access Controller Access-Control System): Authentication/authorization (TCP 49), not MIB management.
Real-World Context: SNMP misconfiguration led to the 2018 Cisco switch exploits via exposed MIB data.
NEW QUESTION # 34
Which one of the following is a phishing email?

- A. Only B
- B. None of the above
- C. Only A
- D. Both A and B
Answer: A
Explanation:
The screenshot shows an email labeled "B" with the subject "Verify your email address" purportedly from Apple. To determine if this is a phishing email, we need to analyze its content and characteristics against common phishing indicators as outlined in CNSP documentation. Since option A is not provided in the screenshot, we will evaluate email B and infer the context for A.
Analysis of Email B:
Sender and Branding: The email claims to be from "Apple Support" and includes an Apple logo, which is a common tactic to establish trust. However, phishing emails often impersonate legitimate brands like Apple to deceive users.
Subject and Content: The subject "Verify your email address" and the body requesting the user to verify their email by clicking a link ("Verify Your Email") are typical of phishing attempts. Legitimate companies like Apple may send verification emails, but the tone and context here raise suspicion.
Link Presence: The email contains a clickable link ("Verify Your Email") that is purportedly for email verification. The screenshot does not show the URL, but phishing emails often include malicious links that lead to fake login pages to steal credentials. CNSP emphasizes that unsolicited requests to click links for verification are a red flag.
Urgency and Vague Instructions: The email includes a statement, "If you did not make this change or believe an unauthorized person has accessed your account, click here to cancel and secure your account." This creates a sense of urgency, a common phishing tactic to prompt immediate action without critical thinking.
Generic Greeting: The email starts with "Dear User," a generic greeting often used in phishing emails. Legitimate companies like Apple typically personalize emails with the user's name.
Suspicious Elements: The email mentions "your Apple ID ([email protected])," which is a placeholder rather than a specific email address, further indicating a mass phishing campaign rather than a targeted, legitimate communication.
Phishing Indicators (per CNSP):
CNSP documentation on phishing identification lists several red flags:
Unsolicited requests for verification or account updates.
Generic greetings (e.g., "Dear User" instead of a personalized name).
Presence of links that may lead to malicious sites (not verifiable in the screenshot but implied).
Urgency or threats (e.g., "click here to cancel and secure your account").
Impersonation of trusted brands (e.g., Apple).
Email B exhibits multiple indicators: the generic greeting, unsolicited verification request, urgent call to action, and impersonation of Apple.
Option A Context:
Since the screenshot only shows email B, and the correct answer is "Only B," we can infer that email A (not shown) does not exhibit phishing characteristics. For example, A might be a legitimate email from Apple with proper personalization, no suspicious links, or a different context (e.g., a purchase confirmation rather than a verification request).
Evaluation of Options:
1. Only A: Incorrect, as email A is not shown, and the correct answer indicates B as the phishing email.
2. Only B: Correct. Email B shows clear phishing characteristics, such as impersonation, a generic greeting, an unsolicited verification link, and urgency, aligning with CNSP's phishing criteria.
3. Both A and B: Incorrect, as A is implied to be non-phishing based on the correct answer.
4. None of the above: Incorrect, as B is a phishing email.
Conclusion: Email B is a phishing email due to its impersonation of Apple, generic greeting, unsolicited verification request with a link, and use of urgency to prompt action. Since A is not shown but implied to be non-phishing, the correct answer is "Only B."
NEW QUESTION # 35
What user account is required to create a Golden Ticket in Active Directory?
- A. Local User account
- B. Domain User account
- C. Service account
- D. KRBTGT account
Answer: D
Explanation:
A Golden Ticket is a forged Kerberos Ticket-Granting Ticket (TGT) in Active Directory (AD), granting an attacker unrestricted access to domain resources by impersonating any user (e.g., with Domain Admin privileges). Kerberos, per RFC 4120, relies on the KRBTGT account-a built-in service account on every domain controller-to encrypt and sign TGTs. To forge a Golden Ticket, an attacker needs:
The KRBTGT password hash (NTLM or Kerberos key), typically extracted from a domain controller's memory using tools like Mimikatz.
Additional domain details (e.g., SID, domain name).
Process:
Compromise a domain controller (e.g., via privilege escalation).
Extract the KRBTGT hash (e.g., lsadump::dcsync /user:krbtgt).
Forge a TGT with arbitrary privileges using the hash (e.g., Mimikatz's kerberos::golden command).
The KRBTGT account itself isn't "used" to create the ticket; its hash is the key ingredient. Unlike legitimate TGTs issued by the KDC, a Golden Ticket bypasses authentication checks, persisting until the KRBTGT password is reset (a rare event in most environments). CNSP likely highlights this as a high-severity AD attack vector.
Why other options are incorrect:
A . Local User account: Local accounts are machine-specific, lack domain privileges, and can't access the KRBTGT hash stored on domain controllers.
B . Domain User account: A standard user has no inherent access to domain controller credentials or the KRBTGT hash without escalation.
C . Service account: While service accounts may have elevated privileges, they don't automatically provide the KRBTGT hash unless compromised to domain admin level-still insufficient without targeting KRBTGT specifically.
Real-World Context: The 2014 Sony Pictures hack leveraged Golden Tickets, emphasizing the need for KRBTGT hash rotation post-breach (a complex remediation step).
NEW QUESTION # 36
The Active Directory database file stores the data and schema information for the Active Directory database on domain controllers in Microsoft Windows operating systems. Which of the following file is the Active Directory database file?
- A. NTDS.MDB
- B. MSAD.MDB
- C. NTDS.DIT
- D. NTDS.DAT
Answer: C
Explanation:
The Active Directory (AD) database on Windows domain controllers contains critical directory information, stored in a specific file format.
Why D is correct: The NTDS.DIT file (NT Directory Services Directory Information Tree) is the Active Directory database file, located in C:\Windows\NTDS\ on domain controllers. It stores all AD objects (users, groups, computers) and schema data in a hierarchical structure. CNSP identifies NTDS.DIT as the key file for AD data extraction in security audits.
Why other options are incorrect:
A . NTDS.DAT: Not a valid AD database file; may be a confusion with other system files.
B . NTDS.MDB: Refers to an older Microsoft Access database format, not used for AD.
C . MSAD.MDB: Not a recognized file for AD; likely a misnomer.
NEW QUESTION # 37
Which command will perform a DNS zone transfer of the domain "victim.com" from the nameserver at 10.0.0.1?
- A. dig @10.0.0.1 victim.com arfxr
- B. dig @10.0.0.1 victim.com afxr
- C. dig @10.0.0.1 victim.com axrfr
- D. dig @10.0.0.1 victim.com axfr
Answer: D
Explanation:
A DNS zone transfer replicates an entire DNS zone (a collection of DNS records for a domain) from a primary nameserver to a secondary one, typically for redundancy or load balancing. The AXFR (Authoritative Full Zone Transfer) query type, defined in RFC 1035, facilitates this process. The dig (Domain Information Groper) tool, a staple in Linux/Unix environments, is used to query DNS servers. The correct syntax is:
dig @<nameserver> <domain> axfr
Here, dig @10.0.0.1 victim.com axfr instructs dig to request a zone transfer for "victim.com" from the nameserver at 10.0.0.1. The @ symbol specifies the target server, overriding the system's default resolver.
Technical Details:
The AXFR query is sent over TCP (port 53), not UDP, due to the potentially large size of zone data, which exceeds UDP's typical 512-byte limit (pre-EDNS0).
Successful execution requires the nameserver to permit zone transfers from the querying IP, often restricted to trusted secondaries via Access Control Lists (ACLs) for security. If restricted, the server responds with a "REFUSED" error.
Security Implications: Zone transfers expose all DNS records (e.g., A, MX, NS), making them a reconnaissance goldmine for attackers if misconfigured. CNSP likely emphasizes securing DNS servers against unauthorized AXFR requests, using tools like dig to test vulnerabilities.
Why other options are incorrect:
A . dig @10.0.0.1 victim.com axrfr: "axrfr" is a typographical error. The correct query type is "axfr." Executing this would result in a syntax error or an unrecognized query type response from dig.
B . dig @10.0.0.1 victim.com afxr: "afxr" is another typo, not a valid DNS query type per RFC 1035. dig would fail to interpret this, likely outputting an error like "unknown query type." C . dig @10.0.0.1 victim.com arfxr: "arfxr" is also invalid, a jumbled version of "axfr." It holds no meaning in DNS protocol standards and would fail similarly.
Real-World Context: Penetration testers use dig ... axfr to identify misconfigured DNS servers. For example, dig @ns1.example.com example.com axfr might reveal subdomains or internal IPs if not locked down.
NEW QUESTION # 38
What RID is given to an Administrator account on a Microsoft Windows machine?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: B
Explanation:
In Windows, security principals (users, groups) are identified by a Security Identifier (SID), formatted as S-1-<authority>-<domain>-<RID>. The RID (Relative Identifier) is the final component, unique within a domain or machine. For local accounts:
RID 500: Assigned to the built-in Administrator account on every Windows machine (e.g., S-1-5-21-<machine>-500).
Created during OS install, with full system privileges.
Disabled by default in newer Windows versions (e.g., 10/11) unless explicitly enabled.
RID 501: Guest account (e.g., S-1-5-21-<machine>-501), limited access.
Technical Details:
Stored in SAM (C:\Windows\System32\config\SAM).
Enumeration: Tools like wmic useraccount or net user reveal RIDs.
Domain Context: Domain Admins use RID 512, but the question specifies a local machine.
Security Implications: RID 500 is a prime target for brute-forcing or pass-the-hash attacks (e.g., Mimikatz). CNSP likely advises renaming/disabling it (e.g., via GPO).
Why other options are incorrect:
A . 0: Reserved (e.g., Null SID, S-1-0-0), not a user RID.
C . 501: Guest, not Administrator.
D . 100: Invalid; local user RIDs start at 1000 (e.g., custom accounts).
Real-World Context: Post-compromise, attackers query RID 500 (e.g., net user Administrator) for privilege escalation.
NEW QUESTION # 39
The Management Information Base (MIB) is a collection of object groups that is managed by which service?
- A. SMTP
- B. TACACS
- C. SNMP
- D. NTP
Answer: C
Explanation:
The Management Information Base (MIB) is a structured database defining manageable objects (e.g., CPU usage, interface status) in a network device. It's part of the SNMP (Simple Network Management Protocol) framework, per RFC 1157, used for monitoring and managing network devices (e.g., routers, switches).
SNMP Mechanics:
MIB Structure: Hierarchical, with Object Identifiers (OIDs) like 1.3.6.1.2.1.1.1.0 (sysDescr).
Ports: UDP 161 (agent), 162 (traps).
Operation: Agents expose MIB data; managers (e.g., Nagios) query it via GET/SET commands.
MIB files (e.g., IF-MIB, HOST-RESOURCES-MIB) are vendor-specific or standardized, parsed by SNMP tools (e.g., snmpwalk). CNSP likely covers SNMP for network monitoring and securing it against enumeration (e.g., weak community strings like "public").
Why other options are incorrect:
A . SMTP (Simple Mail Transfer Protocol): Email delivery (TCP 25), unrelated to MIB or device management.
C . NTP (Network Time Protocol): Time synchronization (UDP 123), not MIB-related.
D . TACACS (Terminal Access Controller Access-Control System): Authentication/authorization (TCP 49), not MIB management.
Real-World Context: SNMP misconfiguration led to the 2018 Cisco switch exploits via exposed MIB data.
NEW QUESTION # 40
What is the response from a closed UDP port which is not behind a firewall?
- A. ICMP message showing Destination Unreachable
- B. None of the above
- C. A RST packet
- D. No response
Answer: A
Explanation:
UDP is a connectionless protocol, and its behavior when a packet reaches a port depends on whether the port is open or closed. Without a firewall altering the response, the standard protocol applies.
Why A is correct: When a UDP packet is sent to a closed port, the host typically responds with an ICMP Type 3 (Destination Unreachable), Code 3 (Port Unreachable) message, indicating no service is listening. CNSP notes this as a key indicator in port scanning.
Why other options are incorrect:
B: RST packets are TCP-specific, not used in UDP.
C: No response occurs for open UDP ports unless an application replies, not closed ports.
D: A is correct, so "none of the above" is invalid.
NEW QUESTION # 41
Where are the password hashes stored in a Microsoft Windows 64-bit system?
- A. C:\Windows\System64\config\SAM
- B. C:\System64\config\SAM
- C. C:\Windows\config\System32\SAM
- D. C:\Windows\System32\config\SAM
Answer: D
Explanation:
Windows stores password hashes in the SAM (Security Account Manager) file, with a consistent location across 32-bit and 64-bit systems.
Why B is correct: The SAM file resides at C:\Windows\System32\config\SAM, locked during system operation for security. CNSP notes this for credential extraction risks.
Why other options are incorrect:
A: System64 does not exist; System32 is used even on 64-bit systems.
C: C:\System64 is invalid; the path starts with Windows.
D: config\System32 reverses the correct directory structure.
NEW QUESTION # 42
Which of the following techniques can be used to bypass network segmentation during infrastructure penetration testing?
- A. All of the above
- B. DNS tunneling
- C. Covert channels
- D. VLAN hopping
Answer: A
Explanation:
Network segmentation isolates network zones for security, but certain techniques can circumvent these controls, a focus of CNSP penetration testing.
Why D is correct:
A: DNS tunneling encodes data in DNS queries, bypassing segmentation via legitimate DNS traffic.
B: VLAN hopping exploits switch misconfigurations (e.g., double tagging) to access other VLANs.
C: Covert channels use hidden communication paths (e.g., timing channels) to evade segmentation.
All are valid techniques per CNSP for testing segmentation controls.
Why other options are incomplete: A, B, or C alone exclude other viable methods, making D the comprehensive answer.
NEW QUESTION # 43
Which Kerberos ticket is required to generate a Silver Ticket?
- A. Service Account Ticket
- B. Ticket-Granting Ticket
- C. There is no specific ticket required for generating a Silver Ticket
- D. Session Ticket
Answer: A
Explanation:
A Silver Ticket is a forged Kerberos Service Ticket (TGS - Ticket Granting Service) in Active Directory, granting access to a specific service (e.g., MSSQL, CIFS) without KDC interaction. Unlike a Golden Ticket (TGT forgery), it requires:
Service Account's NTLM Hash: The target service's account (e.g., MSSQLSvc) hash, not a ticket.
Forgery: Tools like Mimikatz craft the TGS (e.g., kerberos::golden /service:<spn> /user:<user> /ntlm:<hash>).
Kerberos Flow (RFC 4120):
TGT (Ticket-Granting Ticket): Obtained via AS (Authentication Service) with user creds.
TGS: Requested from TGS (Ticket Granting Service) using TGT for service access.
Silver Ticket Process:
No TGT needed; the attacker mimics the TGS step using the service account's stolen hash (e.g., from a compromised host).
C . Service Account Ticket: Misnomer-it's the hash of the service account (e.g., MSSQLSvc) that enables forgery, not a pre-existing ticket. CNSP's phrasing likely tests this nuance.
Security Implications: Silver Tickets are stealthier than Golden Tickets (service-specific, shorter-lived). CNSP likely stresses hash protection (e.g., LAPS) and Kerberos monitoring.
Why other options are incorrect:
A . Session Ticket: Not a Kerberos term; confuses session keys.
B . TGT: Used for Golden Tickets, not Silver.
D: Incorrect; the service account's hash (implied by "ticket") is essential.
Real-World Context: Silver Tickets exploited in APT29 attacks (2020 SolarWinds) for lateral movement.
NEW QUESTION # 44
How many octets are there in an IPv6 address?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: A
Explanation:
An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4's 32-bit scheme, vastly expanding address space (2^128 vs. 2^32). An octet is 8 bits (1 byte). To calculate octets in IPv6:
128 bits ÷ 8 bits/octet = 16 octets.
Representation:
IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), separated by colons.
Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.
Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).
Technical Note: Your original input flagged this question's phrasing as potentially misleading, suggesting "octets" is an IPv4 term, while IPv6 uses "16-bit groups" or "hextets." While technically accurate (RFC 4291 uses "16-bit blocks"), "octets" remains a common, if informal, term in security contexts for byte-wise analysis (e.g., packet crafting). CNSP might use "octets" to test byte-level understanding, though "groups" is more precise for IPv6. Here, 16 octets (128 bits) is correct either way.
Security Implications: IPv6's larger address space complicates scanning (e.g., Nmap struggles with 2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP). Understanding its structure aids in firewall rules and IDS signatures.
Why other options are incorrect:
B . 32: Implies 256 bits (32 × 8), far exceeding IPv6's 128-bit design.
C . 64: Suggests 512 bits (64 × 8), unrelated to IPv6 or any IP standard.
D . 128: Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets.
Real-World Context: IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw data inspection.
NEW QUESTION # 45
In the context of the SSH (Secure Shell) public-private key authentication mechanism, which key is uploaded to the server and which key is used by the end-user for authentication?
- A. The private key is uploaded to the server and the public key is used by the end user for authentication.
- B. The public key is uploaded to the server and the private key is used by the end user for authentication.
Answer: B
Explanation:
SSH (Secure Shell), per RFC 4251, uses asymmetric cryptography (e.g., RSA, ECDSA) for secure authentication:
Key Pair:
Public Key: Freely shareable, used to encrypt or verify.
Private Key: Secret, used to decrypt or sign.
Process:
User generates a key pair (e.g., ssh-keygen -t rsa -b 4096).
Public Key is uploaded to the server, appended to ~/.ssh/authorized_keys (e.g., via ssh-copy-id).
Private Key (e.g., ~/.ssh/id_rsa) stays on the user's machine.
Authentication: Client signs a challenge with the private key; server verifies it with the public key.
Technical Details:
Protocol: SSH-2 (RFC 4253) uses a Diffie-Hellman key exchange, then public-key auth.
Files: authorized_keys (server, 0644 perms), private key (client, 0600 perms).
Security: Private key exposure compromises all systems trusting the public key.
Security Implications: CNSP likely stresses key management (e.g., passphrases, rotation) and server-side authorized_keys hardening (e.g., PermitRootLogin no).
Why other options are incorrect:
B: Uploading the private key reverses the model, breaking security-anyone with the server's copy could authenticate as the user. Asymmetric crypto relies on the private key remaining secret.
Real-World Context: GitHub uses SSH public keys for repository access, with private keys on user devices.
NEW QUESTION # 46
What will be the subnet mask for 192.168.0.1/18?
- A. 255.255.255.0
- B. 255.225.192.0
- C. 255.255.192.0
- D. 255.225.225.0
Answer: C
Explanation:
An IP address with a /18 prefix (CIDR notation) indicates 18 network bits in the subnet mask, leaving 14 host bits (32 total bits - 18). For IPv4 (e.g., 192.168.0.1):
Binary Mask: First 18 bits are 1s, rest 0s.
1st octet: 11111111 (255)
2nd octet: 11111111 (255)
3rd octet: 11000000 (192)
4th octet: 00000000 (0)
Decimal: 255.255.192.0
Calculation:
Bits: /18 = 2^14 hosts (16,384), minus 2 (network/broadcast) = 16,382 usable.
Range: 192.168.0.0-192.168.63.255 (3rd octet: 0-63, as 192 = 11000000 covers 6 bits).
Technical Details:
Subnet masks align on octet boundaries or mid-octet (e.g., 192 = 2^7 + 2^6).
Contrast: /24 = 255.255.255.0 (256 hosts), /16 = 255.255.0.0 (65,536 hosts).
Security Implications: Larger subnets (e.g., /18) increase broadcast domains, risking amplification attacks. CNSP likely teaches subnetting for segmentation (e.g., VLANs).
Why other options are incorrect:
A . 255.255.255.0: /24 (8 host bits), not /18.
B . 255.225.225.0: Invalid mask (225 = 11100001, non-contiguous 1s).
D . 255.225.192.0: Invalid (225 breaks binary sequence).
Real-World Context: Subnetting 192.168.0.0/18 isolates departments in enterprise networks.
NEW QUESTION # 47
WannaCry, an attack, spread throughout the world in May 2017 using machines running on outdated Microsoft operating systems. What is WannaCry?
- A. Ransomware
- B. Malware
Answer: A
Explanation:
WannaCry is a ransomware attack that erupted in May 2017, infecting over 200,000 systems across 150 countries. It exploited the EternalBlue vulnerability (MS17-010) in Microsoft Windows SMBv1, targeting unpatched systems (e.g., Windows XP, Server 2003). Developed by the NSA and leaked by the Shadow Brokers, EternalBlue allowed remote code execution.
Ransomware Mechanics:
Encryption: WannaCry used RSA-2048 and AES-128 to encrypt files, appending extensions like .wcry.
Ransom Demand: Displayed a message demanding $300-$600 in Bitcoin, leveraging a hardcoded wallet.
Worm Propagation: Self-replicated via SMB, scanning internal and external networks, unlike typical ransomware requiring user interaction (e.g., phishing).
Malware Context: While WannaCry is malware (malicious software), "ransomware" is the precise subcategory, distinguishing it from viruses, trojans, or spyware. Malware is a broad term encompassing any harmful code; ransomware specifically encrypts data for extortion. CNSP likely classifies WannaCry as ransomware to focus on its payload and mitigation (e.g., patching, backups).
Why other options are incorrect:
B . Malware: Correct but overly generic. WannaCry's defining trait is ransomware behavior, not just maliciousness. Specificity matters in security taxonomy for threat response (e.g., NIST IR 8019).
Real-World Context: WannaCry crippled NHS hospitals, highlighting patch management's criticality. A kill switch (a domain sinkhole) halted it, but variants persist.
NEW QUESTION # 48
If you find the 111/TCP port open on a Unix system, what is the next logical step to take?
- A. Telnet to the port, send "GET / HTTP/1.0" and gather information from the response.
- B. None of the above.
- C. Telnet to the port to look for a banner.
- D. Run "rpcinfo -p <hostname>" to enumerate the RPC services.
Answer: D
Explanation:
Port 111/TCP is the default port for the RPC (Remote Procedure Call) portmapper service on Unix systems, which registers and manages RPC services.
Why A is correct: Running rpcinfo -p <hostname> queries the portmapper to list all registered RPC services, their programs, versions, and associated ports. This is a logical next step during a security audit or penetration test to identify potential vulnerabilities (e.g., NFS or NIS services). CNSP recommends this command for RPC enumeration.
Why other options are incorrect:
B . Telnet to the port to look for a banner: Telnet might connect, but RPC services don't typically provide a human-readable banner, making this less effective than rpcinfo.
C . Telnet to the port, send "GET / HTTP/1.0" and gather information from the response: Port 111 is not an HTTP service, so an HTTP request is irrelevant and will likely fail.
D . None of the above: Incorrect, as A is a valid and recommended step.
NEW QUESTION # 49
What is the response from a closed TCP port which is behind a firewall?
- A. A FIN and an ACK packet
- B. A SYN and an ACK packet
- C. RST and an ACK packet
- D. No response
Answer: D
NEW QUESTION # 50
......
Verified CNSP Dumps Q&As - 1 Year Free & Quickly Updates: https://www.examboosts.com/The-SecOps-Group/CNSP-practice-exam-dumps.html
Latest The SecOps Group CNSP Certification Practice Test Questions: https://drive.google.com/open?id=1cefe49SfkkrJ1g8asTqVdNg6QT2UljR8