The SecOps Group Certified Network Security Practitioner CNSP Exam Questions

Answer : A

An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4's 32-bit scheme, vastly expanding address space (2^128 vs. 2^32). An octet is 8 bits (1 byte). To calculate octets in IPv6:

128 bits 8 bits/octet = 16 octets.

Representation:

IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), separated by colons.

Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.

Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).

Technical Note: Your original input flagged this question's phrasing as potentially misleading, suggesting 'octets' is an IPv4 term, while IPv6 uses '16-bit groups' or 'hextets.' While technically accurate (RFC 4291 uses '16-bit blocks'), 'octets' remains a common, if informal, term in security contexts for byte-wise analysis (e.g., packet crafting). CNSP might use 'octets' to test byte-level understanding, though 'groups' is more precise for IPv6. Here, 16 octets (128 bits) is correct either way.

Security Implications: IPv6's larger address space complicates scanning (e.g., Nmap struggles with 2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP). Understanding its structure aids in firewall rules and IDS signatures.

Why other options are incorrect:

B . 32: Implies 256 bits (32 8), far exceeding IPv6's 128-bit design.

C . 64: Suggests 512 bits (64 8), unrelated to IPv6 or any IP standard.

D . 128: Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets.

Real-World Context: IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw data inspection.

Answer : C

In Linux/Unix, the SUID (Set User ID) bit allows a program to execute with the owner's permissions, typically root, rather than the caller's. It's denoted by an s in the user execute field (e.g., -rwsr-xr-x). Common SUID programs perform privileged tasks requiring temporary elevation.

Analysis:

C . /usr/bin/passwd:

Purpose: Updates user passwords in /etc/shadow (root-owned, 0600 perms).

Permissions: Typically -rwsr-xr-x, owned by root. The SUID bit lets non-root users modify shadow securely.

Command: ls -l /usr/bin/passwd confirms SUID (s in user execute).

A . /bin/ls:

Purpose: Lists directory contents, no privileged access needed.

Permissions: -rwxr-xr-x (no SUID). Runs as the calling user.

B . /usr/bin/curl:

Purpose: Transfers data over HTTP/FTP, no root privileges required by default.

Permissions: -rwxr-xr-x (no SUID).

Technical Details:

SUID Bit: Set via chmod u+s <file> or chmod 4755.

Security: SUID binaries are audited (e.g., find / -perm -u=s) due to escalation risks if writable or poorly coded (e.g., buffer overflows).

Security Implications: CNSP likely highlights SUID as an attack vector (e.g., CVE-1996-0095 exploited passwd flaws). Hardening removes unnecessary SUID bits.

Why other options are incorrect:

A, B: Lack SUID; no privileged operations.

D: Incorrect, as /usr/bin/passwd is a SUID example.

Real-World Context: SUID on /bin/su or /usr/bin/sudo similarly enables privilege escalation, often targeted in exploits.

Answer : D

Protocols are defined by their transport layer usage (TCP or UDP), impacting their security and performance characteristics.

Why D is correct: SSH (Secure Shell) uses TCP (port 22) for reliable, connection-oriented communication, unlike the UDP-based options. CNSP contrasts TCP and UDP protocol security.

Why other options are incorrect:

A: SNMP uses UDP (ports 161, 162) for lightweight network management.

B: NTP uses UDP (port 123) for time synchronization.

C: IKE (IPsec key exchange) uses UDP (ports 500, 4500).

Answer : C

A Silver Ticket is a forged Kerberos Service Ticket (TGS - Ticket Granting Service) in Active Directory, granting access to a specific service (e.g., MSSQL, CIFS) without KDC interaction. Unlike a Golden Ticket (TGT forgery), it requires:

Service Account's NTLM Hash: The target service's account (e.g., MSSQLSvc) hash, not a ticket.

Forgery: Tools like Mimikatz craft the TGS (e.g., kerberos::golden /service:<spn> /user:<user> /ntlm:<hash>).

Kerberos Flow (RFC 4120):

TGT (Ticket-Granting Ticket): Obtained via AS (Authentication Service) with user creds.

TGS: Requested from TGS (Ticket Granting Service) using TGT for service access.

Silver Ticket Process:

No TGT needed; the attacker mimics the TGS step using the service account's stolen hash (e.g., from a compromised host).

C . Service Account Ticket: Misnomer---it's the hash of the service account (e.g., MSSQLSvc) that enables forgery, not a pre-existing ticket. CNSP's phrasing likely tests this nuance.

Security Implications: Silver Tickets are stealthier than Golden Tickets (service-specific, shorter-lived). CNSP likely stresses hash protection (e.g., LAPS) and Kerberos monitoring.

Why other options are incorrect:

A . Session Ticket: Not a Kerberos term; confuses session keys.

B . TGT: Used for Golden Tickets, not Silver.

D: Incorrect; the service account's hash (implied by ''ticket'') is essential.

Real-World Context: Silver Tickets exploited in APT29 attacks (2020 SolarWinds) for lateral movement.

Answer : A

UDP is a connectionless protocol, and its behavior when a packet reaches a port depends on whether the port is open or closed. Without a firewall altering the response, the standard protocol applies.

Why A is correct: When a UDP packet is sent to a closed port, the host typically responds with an ICMP Type 3 (Destination Unreachable), Code 3 (Port Unreachable) message, indicating no service is listening. CNSP notes this as a key indicator in port scanning.

Why other options are incorrect:

B: RST packets are TCP-specific, not used in UDP.

C: No response occurs for open UDP ports unless an application replies, not closed ports.

D: A is correct, so 'none of the above' is invalid.

Answer : A

EternalBlue (MS17-010) is an exploit targeting a buffer overflow in Microsoft's SMB (Server Message Block) implementation, leaked by the Shadow Brokers in 2017. SMB enables file/printer sharing:

SMBv1 (1980s): Legacy, used in Windows NT/XP.

SMBv2 (2006, Vista): Enhanced performance/security.

SMBv3 (2012, Windows 8): Adds encryption, multichannel.

Vulnerability:

EternalBlue exploits a flaw in SMBv1's SRVNET driver (srv.sys), allowing remote code execution via crafted packets. Microsoft patched it in March 2017 (MS17-010).

Affected OS: Windows XP to Server 2016 (pre-patch), if SMBv1 enabled.

Proof: WannaCry/NotPetya used it, targeting port 445/TCP.

SMBv1 Only: The bug resides in SMBv1's packet handling (e.g., TRANS2 requests). SMBv2/v3 rewrote this code, immune to the specific overflow.

Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).

Security Implications: CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as EternalBlue remains a threat in legacy environments.

Why other options are incorrect:

B, C: SMBv2/v3 aren't vulnerable; the flaw is SMBv1-specific.

D: SMBv2 isn't affected, only SMBv1.

Real-World Context: WannaCry's 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing billions.

Answer : B

Windows stores password hashes in the SAM (Security Account Manager) file, with a consistent location across 32-bit and 64-bit systems.

Why B is correct: The SAM file resides at C:\Windows\System32\config\SAM, locked during system operation for security. CNSP notes this for credential extraction risks.

Why other options are incorrect:

A: System64 does not exist; System32 is used even on 64-bit systems.

C: C:\System64 is invalid; the path starts with Windows.

D: config\System32 reverses the correct directory structure.