- Home
- The SecOps Group
- Security Practitioner
- CNSP - Certified Network Security Practitioner (CNSP)
CNSP Exam Dumps - Certified Network Security Practitioner (CNSP)
Where are the password hashes stored in the Linux file system?
/etc/passwd
/etc/password
/etc/shadow
/usr/bin/shadow
Answer:
Explanation:
In Linux, password hashes are stored in a secure file to protect user authentication data. The evolution of Linux security practices moved password storage from plaintext or weakly protected files to a more secure location.
Why C is correct:The /etc/shadow file is the standard location for storing password hashes in modern Linux systems. This file is readable only by the root user, enhancing security by restricting access. It contains encrypted password hashes (typically using algorithms like SHA-512), along with user details such as password expiration policies. CNSP documentation on Linux security emphasizes /etc/shadow as the authoritative source for password hashes, replacing older methods.
Why other options are incorrect:
A. /etc/passwd:Historically, /etc/passwd stored passwords in plaintext or weakly hashed forms (e.g., using DES), but modern systems use it only for user account information (e.g., UID, GID, home directory) and reference /etc/shadow for hashes.
B. /etc/password:This is not a valid file in the Linux file system; it appears to be a typographical error or misunderstanding, with no recognized role in password storage.
D. /usr/bin/shadow:/usr/bin contains executable binaries, not configuration or data files like password hashes. /etc/shadow is the correct path.
References:CNSP "Linux Authentication Mechanisms" (Section on Password Storage) details the transition to /etc/shadow for enhanced security and contrasts it with /etc/passwd.
What is the response from a closed TCP port which is behind a firewall?
A FIN and an ACK packet
RST and an ACK packet
A SYN and an ACK packet
No response
Answer:
Explanation:
TCP (Transmission Control Protocol) uses a three-way handshake (SYN, SYN-ACK, ACK) toestablish connections, as per RFC 793. When a client sends a SYN packet to a port:
Open Port:The server responds with SYN-ACK.
Closed Port (no firewall):The server sends an RST (Reset) packet, often with ACK, to terminate the attempt immediately.
However, when afirewallis present, its configuration dictates the response. Modern firewalls typically operate instealth mode, using a "drop" rule for closed ports rather than a "reject" rule:
Drop:Silently discards the packet without replying, resulting inno response. The client experiences a timeout (e.g., 30 seconds), as no feedback is provided.
Reject:Sends an RST or ICMP "Port Unreachable," but this is less common for security reasons, as it confirms the firewall’s presence.
For a closed TCP port behind a firewall, "no response" (drop) is the standard behavior in secure configurations, minimizing information leakage to attackers. This aligns with CNSP’s focus on firewall best practices to obscure network topology during port scanning (e.g., with Nmap).
Why other options are incorrect:
A. A FIN and an ACK packet:FIN-ACK is used to close anestablishedTCP connection gracefully (e.g., after data transfer), not to respond to an initial SYN on a closed port.
B. RST and an ACK packet:RST-ACK is the host’s response to a closed port without a firewall. A firewall’s drop rule overrides this by silently discarding the packet.
C. A SYN and an ACK packet:SYN-ACK indicates an open port accepting a connection, the opposite of a closed port scenario.
Real-World Context:Tools like Nmap interpret "no response" as "filtered" (firewall likely present) vs. "closed" (RST received), aiding in firewall detection.References:CNSP Official Study Guide (Firewall Operations and TCP/IP); RFC 793 (TCP).
Which of the following attacks are associated with an ICMP protocol?
Ping of death
Smurf attack
ICMP flooding
All of the following
Answer:
Explanation:
ICMP (Internet Control Message Protocol), per RFC 792, handles diagnostics (e.g., ping) and errors in IP networks. It’s exploitable in:
A. Ping of Death:
Method: Sends oversized ICMP Echo Request packets (>65,535 bytes) via fragmentation. Reassembly overflows buffers, crashing older systems (e.g., Windows 95).
Fix: Modern OSes cap packet size (e.g., ping -s 65500).
B. Smurf Attack:
Method: Spoofs ICMP Echo Requests to a network’s broadcast address (e.g., 192.168.255.255). All hosts reply, flooding the victim.
Amplification: 100 hosts = 100x traffic.
C. ICMP Flooding:
Method: Overwhelms a target with ICMP Echo Requests (e.g., ping -f), consuming bandwidth/CPU.
Variant: BlackNurse attack targets firewalls.
Technical Details:
ICMP Type 8 (Echo Request), Type 0 (Echo Reply) are key.
Mitigation: Rate-limit ICMP, disable broadcasts (e.g., no ip directed-broadcast).
Security Implications:ICMP attacks are DoS vectors. CNSP likely teaches filtering (e.g., iptables -p icmp -j DROP) balanced with diagnostics need.
Why other options are incorrect:
A, B, C individually:All are ICMP-based; D is comprehensive.
Real-World Context:Smurf attacks peaked in the 1990s; modern routers block them by default.References:CNSP Official Study Guide (Network Attacks); RFC 792 (ICMP).
How many usable TCP/UDP ports are there?
65536
65535
63535
65335
Answer:
Explanation:
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) port numbers are defined by a 16-bit field in their packet headers, as specified in RFC 793 (TCP) and RFC 768 (UDP). A 16-bit integer ranges from 0 to 65,535, yielding a total of 65,536 possible ports (2^16). However,port 0is universally reserved across both protocols and is not considered "usable" for standard network communication. According to the Internet Assigned Numbers Authority (IANA), port 0 is designated for special purposes, such as indicating an invalid or dynamic port assignment in some systems (e.g., when a client requests an ephemeral port). In practice, operating systems and applications avoid binding to port 0 for listening services, and it’s often used in error conditions or as a placeholder in protocol implementations (e.g., socket programming).
Thus, theusable port rangespans from 1 to 65,535, totaling 65,535 ports. These ports are categorized by IANA into:
Well-Known Ports (0–1023):Reserved for system services (e.g., HTTP on 80/TCP). Note that 0 is still reserved within this range.
Registered Ports (1024–49151):Assigned to user applications.
Dynamic/Ephemeral Ports (49152–65535):Used temporarily by clients.
From a security perspective, understanding the usable port count is critical for firewall configuration, port scanning (e.g., with Nmap), and detecting anomalies (e.g., services binding to unexpected ports). Misconfiguring a system to use port 0 could lead to protocol errors or expose vulnerabilities, though it’s rare. The CNSP curriculum likely emphasizes this distinction to ensure practitioners can accurately scope network security assessments.
Why other options are incorrect:
A. 65536:This reflects the total number of possible ports (0–65535), but it includes the reserved port 0, which isn’t usable for typical TCP/UDP communication. In security contexts, including port 0 in a count could lead to misconfigured rules or scanning errors.
C. 63535:This is an arbitrary number with no basis in the 16-bit port structure. It might stem from a typo or misunderstanding (e.g., subtracting 2000 from 65535 incorrectly), but it’s invalid.
D. 65335:Similarly, this lacks grounding in protocol standards. It could be a miscalculation (e.g., subtracting 200 from 65535), but it doesn’t align with TCP/UDP specifications.
Real-World Context:In penetration testing, tools like Nmap scan ports 1–65535 by default, excluding 0 unless explicitly specified (e.g., -p0-65535), reinforcing that 65,535 is the practical usable count.References:CNSP Official Study Guide (Network Protocols and Ports); RFC 793 (TCP), RFC 768 (UDP), IANA Service Name and Transport Protocol Port Number Registry.
The application is showing a TLS error message as a result of a website administrator failing to timely renew the TLS certificate. But upon deeper analysis, it appears that the problem is brought on by the expiration of the TLS certificate. Which of the following statements is correct?
The communication between the browser and the server is now no longer over TLS.
The communication between the browser and the server is still over TLS.
Answer:
Explanation:
TLS (Transport Layer Security)secures communication (e.g., HTTPS) using certificates, per RFC 8446. A certificate includes:
Validity Period:Start and end dates (e.g., "Not After: March 8, 2025").
Purpose:Authenticates the server and encrypts the session.
Scenario:An expired TLS certificate (e.g., past "Not After" date). Modern browsers (e.g., Chrome, Firefox) validate certificates during the handshake:
ClientHello:Browser initiates TLS.
ServerHello:Server sends its certificate.
Validation:Browser checks expiration, CA trust, etc.
If expired, browsers reject the handshake, displaying errors (e.g., "NET::ERR_CERT_DATE_INVALID"). No session key is negotiated, andcommunication doesn’t proceed over TLS. Users may bypass warnings (e.g., "Advanced > Proceed"), but this is unencrypted or uses a fallback (not standard TLS), breaking security guarantees.
Security Implications:Expired certificates expose sites to MITM attacks, as trust is lost. CNSP likely emphasizes certificate management (e.g., automation with Let’s Encrypt) to avoid this.
Why other options are incorrect:
B. The communication is still over TLS:False; an expired certificate halts the TLS handshake in compliant browsers. Legacy systems might negotiate insecurely, but this isn’t "TLS" per standards.
Real-World Context:The 2019 Equifax breach partially stemmed from expired certificates missing vulnerabilities.References:CNSP Official Study Guide (TLS/SSL Security); RFC 8446 (TLS 1.3).
Which SMB (Server Message Block) network protocol versions are vulnerable to the EternalBlue (MS17-010) Windows exploit?
SMBv1 only
SMBv2 only
SMBv3 only
Both SMBv1 and SMBv2
Answer:
Explanation:
EternalBlue(MS17-010) is an exploit targeting a buffer overflow in Microsoft’s SMB (Server Message Block) implementation, leaked by the Shadow Brokers in 2017. SMB enables file/printer sharing:
SMBv1 (1980s):Legacy, used in Windows NT/XP.
SMBv2 (2006, Vista):Enhanced performance/security.
SMBv3 (2012, Windows 8):Adds encryption, multichannel.
Vulnerability:
EternalBlue exploits a flaw inSMBv1’s SRVNET driver (srv.sys), allowing remote code execution via crafted packets. Microsoft patched it in March 2017 (MS17-010).
Affected OS: Windows XP to Server 2016 (pre-patch), if SMBv1 enabled.
Proof: WannaCry/NotPetya used it, targeting port 445/TCP.
Version Scope:
SMBv1 Only:The bug resides in SMBv1’s packet handling (e.g., TRANS2 requests). SMBv2/v3 rewrote this code, immune to the specific overflow.
Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).
Security Implications:CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as EternalBlue remains a threat in legacy environments.
Why other options are incorrect:
B, C:SMBv2/v3 aren’t vulnerable; the flaw is SMBv1-specific.
D:SMBv2 isn’t affected, only SMBv1.
Real-World Context:WannaCry’s 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing billions.References:CNSP Official Documentation (Windows Exploits); Microsoft MS17-010 Bulletin.
What RID is given to an Administrator account on a Microsoft Windows machine?
0
500
501
100
Answer:
Explanation:
In Windows, security principals (users, groups) are identified by aSecurity Identifier (SID), formatted as S-1-
RID 500:Assigned to the built-inAdministratoraccount on every Windows machine (e.g., S-1-5-21-
Created during OS install, with full system privileges.
Disabled by default in newer Windows versions (e.g., 10/11) unless explicitly enabled.
RID 501:Guest account (e.g., S-1-5-21-
Technical Details:
Stored in SAM (C:\Windows\System32\config\SAM).
Enumeration: Tools like wmic useraccount or net user reveal RIDs.
Domain Context: Domain Admins use RID 512, but the question specifies a local machine.
Security Implications:RID 500 is a prime target for brute-forcing or pass-the-hash attacks (e.g., Mimikatz). CNSP likely advises renaming/disabling it (e.g., via GPO).
Why other options are incorrect:
A. 0:Reserved (e.g., Null SID, S-1-0-0), not a user RID.
C. 501:Guest, not Administrator.
D. 100:Invalid; local user RIDs start at 1000 (e.g., custom accounts).
Real-World Context:Post-compromise, attackers query RID 500 (e.g., net user Administrator) for privilege escalation.References:CNSP Official Study Guide (Windows Security); Microsoft SID Documentation.
Which built-in Windows utility can be used to verify the validity of a Kerberos ticket?
Klist
Kerbtray
Netsh
Kerberos Manager
Answer:
Explanation:
Kerberos is the default authentication protocol in Windows Active Directory environments, andtickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.
Why A is correct:Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.
Why other options are incorrect:
B:Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.
C:Netsh manages network configurations, not Kerberos tickets.
D:"Kerberos Manager" is not a recognized built-in Windows utility; it’s a fictitious name.
References:CNSP "Authentication Protocols" (Section on Kerberos) identifies Klist as the built-in tool for ticket verification, contrasting it with deprecated or external tools.