The SecOps Group CNSP Exam Practice Test Instant Access

Question 1

What is the response from a closed TCP port which is not behind a firewall?

AICMP message showing Port Unreachable

BA FIN and an ACK packet

CA RST and an ACK packet

DA SYN and an ACK packet

Answer : C

TCP uses a structured handshake, and its response to a connection attempt on a closed port follows a specific protocol when unobstructed by a firewall.

Why C is correct: A closed TCP port responds with a RST (Reset) and ACK (Acknowledgment) packet to terminate the connection attempt immediately. CNSP highlights this as a key scanning indicator.

Why other options are incorrect:

A: ICMP Port Unreachable is for UDP, not TCP.

B: FIN/ACK is for closing active connections, not rejecting new ones.

D: SYN/ACK indicates an open port during the TCP handshake.

Question 2

Which of the following techniques can be used to bypass network segmentation during infrastructure penetration testing?

ADNS tunneling

BVLAN hopping

CCovert channels

DAll of the above

Answer : D

Network segmentation isolates network zones for security, but certain techniques can circumvent these controls, a focus of CNSP penetration testing.

Why D is correct:

A: DNS tunneling encodes data in DNS queries, bypassing segmentation via legitimate DNS traffic.

B: VLAN hopping exploits switch misconfigurations (e.g., double tagging) to access other VLANs.

C: Covert channels use hidden communication paths (e.g., timing channels) to evade segmentation.

All are valid techniques per CNSP for testing segmentation controls.

Why other options are incomplete: A, B, or C alone exclude other viable methods, making D the comprehensive answer.

Question 3

What kind of files are "Dotfiles" in a Linux-based architecture?

ALibrary files

BDriver files

CSystem files

DHidden files

Answer : D

In Linux, file visibility is determined by naming conventions, impacting how files are listed or accessed in the file system.

Why D is correct: 'Dotfiles' are files or directories with names starting with a dot (e.g., .bashrc), making them hidden by default in directory listings (e.g., ls requires -a to show them). They are commonly used for user configuration, as per CNSP's Linux security overview.

Why other options are incorrect:

A: Library files (e.g., in /lib) aren't inherently hidden.

B: Driver files (e.g., kernel modules in /lib/modules) aren't dotfiles by convention.

C: System files may or may not be hidden; 'dotfiles' specifically denotes hidden status.

Question 4

What is the response from a closed UDP port which is not behind a firewall?

AICMP message showing Destination Unreachable

BA RST packet

CNo response

DNone of the above

Answer : A

UDP is a connectionless protocol, and its behavior when a packet reaches a port depends on whether the port is open or closed. Without a firewall altering the response, the standard protocol applies.

Why A is correct: When a UDP packet is sent to a closed port, the host typically responds with an ICMP Type 3 (Destination Unreachable), Code 3 (Port Unreachable) message, indicating no service is listening. CNSP notes this as a key indicator in port scanning.

Why other options are incorrect:

B: RST packets are TCP-specific, not used in UDP.

C: No response occurs for open UDP ports unless an application replies, not closed ports.

D: A is correct, so 'none of the above' is invalid.

Question 5

What is the response from a closed TCP port which is behind a firewall?

AA FIN and an ACK packet

BRST and an ACK packet

CA SYN and an ACK packet

DNo response

Answer : D

TCP (Transmission Control Protocol) uses a three-way handshake (SYN, SYN-ACK, ACK) to establish connections, as per RFC 793. When a client sends a SYN packet to a port:

Open Port: The server responds with SYN-ACK.

Closed Port (no firewall): The server sends an RST (Reset) packet, often with ACK, to terminate the attempt immediately.

However, when a firewall is present, its configuration dictates the response. Modern firewalls typically operate in stealth mode, using a 'drop' rule for closed ports rather than a 'reject' rule:

Drop: Silently discards the packet without replying, resulting in no response. The client experiences a timeout (e.g., 30 seconds), as no feedback is provided.

Reject: Sends an RST or ICMP 'Port Unreachable,' but this is less common for security reasons, as it confirms the firewall's presence.

For a closed TCP port behind a firewall, 'no response' (drop) is the standard behavior in secure configurations, minimizing information leakage to attackers. This aligns with CNSP's focus on firewall best practices to obscure network topology during port scanning (e.g., with Nmap).

Why other options are incorrect:

A . A FIN and an ACK packet: FIN-ACK is used to close an established TCP connection gracefully (e.g., after data transfer), not to respond to an initial SYN on a closed port.

B . RST and an ACK packet: RST-ACK is the host's response to a closed port without a firewall. A firewall's drop rule overrides this by silently discarding the packet.

C . A SYN and an ACK packet: SYN-ACK indicates an open port accepting a connection, the opposite of a closed port scenario.

Real-World Context: Tools like Nmap interpret 'no response' as 'filtered' (firewall likely present) vs. 'closed' (RST received), aiding in firewall detection.

Question 6

Which one of the following is a phishing email?

AOnly A

BOnly B

CBoth A and B

DNone of the above
Explanation:

The screenshot shows an email labeled 'B' with the subject 'Verify your email address' purportedly from Apple. To determine if this is a phishing email, we need to analyze its content and characteristics against common phishing indicators as outlined in CNSP documentation. Since option A is not provided in the screenshot, we will evaluate email B and infer the context for A.
Analysis of Email B:
Sender and Branding: The email claims to be from 'Apple Support' and includes an Apple logo, which is a common tactic to establish trust. However, phishing emails often impersonate legitimate brands like Apple to deceive users.
Subject and Content: The subject 'Verify your email address' and the body requesting the user to verify their email by clicking a link ('Verify Your Email') are typical of phishing attempts. Legitimate companies like Apple may send verification emails, but the tone and context here raise suspicion.
Link Presence: The email contains a clickable link ('Verify Your Email') that is purportedly for email verification. The screenshot does not show the URL, but phishing emails often include malicious links that lead to fake login pages to steal credentials. CNSP emphasizes that unsolicited requests to click links for verification are a red flag.
Urgency and Vague Instructions: The email includes a statement, 'If you did not make this change or believe an unauthorized person has accessed your account, click here to cancel and secure your account.' This creates a sense of urgency, a common phishing tactic to prompt immediate action without critical thinking.
Generic Greeting: The email starts with 'Dear User,' a generic greeting often used in phishing emails. Legitimate companies like Apple typically personalize emails with the user's name.
Suspicious Elements: The email mentions 'your Apple ID (example@icloud.com),' which is a placeholder rather than a specific email address, further indicating a mass phishing campaign rather than a targeted, legitimate communication.
Phishing Indicators (per CNSP):
CNSP documentation on phishing identification lists several red flags:
Unsolicited requests for verification or account updates.
Generic greetings (e.g., 'Dear User' instead of a personalized name).
Presence of links that may lead to malicious sites (not verifiable in the screenshot but implied).
Urgency or threats (e.g., 'click here to cancel and secure your account').
Impersonation of trusted brands (e.g., Apple).
Email B exhibits multiple indicators: the generic greeting, unsolicited verification request, urgent call to action, and impersonation of Apple.
Option A Context:
Since the screenshot only shows email B, and the correct answer is 'Only B,' we can infer that email A (not shown) does not exhibit phishing characteristics. For example, A might be a legitimate email from Apple with proper personalization, no suspicious links, or a different context (e.g., a purchase confirmation rather than a verification request).
Evaluation of Options:
1. Only A: Incorrect, as email A is not shown, and the correct answer indicates B as the phishing email.
2. Only B: Correct. Email B shows clear phishing characteristics, such as impersonation, a generic greeting, an unsolicited verification link, and urgency, aligning with CNSP's phishing criteria.
3. Both A and B: Incorrect, as A is implied to be non-phishing based on the correct answer.
4. None of the above: Incorrect, as B is a phishing email.
Conclusion: Email B is a phishing email due to its impersonation of Apple, generic greeting, unsolicited verification request with a link, and use of urgency to prompt action. Since A is not shown but implied to be non-phishing, the correct answer is 'Only B.'

Answer : B

Question 7

What is the response from an open UDP port which is not behind a firewall?

AICMP message showing Port Unreachable

BNo response

CA SYN packet

DA FIN packet

Answer : B

UDP's connectionless nature means it lacks inherent acknowledgment mechanisms, affecting its port response behavior.

Why B is correct: An open UDP port does not respond unless an application explicitly sends a reply. Without a firewall or application response, the sender receives no feedback, per CNSP scanning guidelines.

Why other options are incorrect:

A: ICMP Port Unreachable indicates a closed port, not an open one.

C: SYN packets are TCP-specific, not UDP.

D: FIN packets are also TCP-specific.

The SecOps Group Certified Network Security Practitioner CNSP Exam Practice Test