The SecOps Group Certified Network Security Practitioner CNSP Exam Practice Test

Answer : C

The SMB protocol, used for file and printer sharing, has evolved across versions, with significant security enhancements in later iterations.

Why C is correct: SMBv3, introduced with Windows 8 and Server 2012, added native support for encrypting SMB traffic. This feature uses AES-CCM encryption to protect data in transit, addressing vulnerabilities in earlier versions. CNSP notes SMBv3's encryption as a critical security improvement.

Why other options are incorrect:

A . SMBv1: Lacks encryption support and is considered insecure, often disabled due to vulnerabilities like WannaCry exploitation.

B . SMBv2: Introduces performance improvements but does not support encryption natively.

D . None of the above: Incorrect, as SMBv3 is the version that introduced encryption.

Answer : A

A DNS zone transfer involves replicating the DNS zone data (e.g., all records for a domain) from a primary to a secondary DNS server, requiring a reliable transport mechanism.

Why A is correct: DNS zone transfers use TCP port 53 because TCP ensures reliable, ordered delivery of data, which is critical for transferring large zone files. CNSP notes that TCP is the standard protocol for zone transfers (e.g., AXFR requests), as specified in RFC 5936.

Why other options are incorrect:

B . 53/UDP: UDP port 53 is used for standard DNS queries and responses due to its speed and lower overhead, but it is not suitable for zone transfers, which require reliability over speed.

C . Both 1 and 2: This is incorrect because zone transfers are exclusively TCP-based, not UDP-based.

D . None of the above: Incorrect, as 53/TCP is the correct port for DNS zone transfers.

Answer : D

DDoS (Distributed Denial of Service) attacks aim to overwhelm a target's resources with excessive traffic, disrupting availability, whereas other attack types target different goals.

Why D is correct: Brute force attacks focus on guessing credentials (e.g., passwords) to gain unauthorized access, not on denying service. CNSP classifies it as an authentication attack, not a DDoS method.

Why other options are incorrect:

A: SYN Flood exhausts TCP connection resources, a classic DDoS attack.

B: NTP Amplification leverages amplified responses to flood targets, a DDoS technique.

C: UDP Flood overwhelms a system with UDP packets, another DDoS method.

Answer : A

The screenshot is from Wireshark, a network protocol analyzer, displaying captured network traffic. The relevant columns include the source and destination IP addresses, ports, protocol, and additional information about the packets. Let's break down the details:

Destination Port Analysis: The screenshot shows multiple packets with a destination port of 443 (e.g., in the 'Destination' column, entries like '172.72.61.9:443'). Port 443 is the default port for HTTPS (HTTP Secure), which is HTTP traffic encrypted using SSL/TLS. This indicates that the application is communicating over HTTPS.

Protocol Analysis: The 'Protocol' column lists 'TLSv1.2' for most packets (e.g., frame numbers 2000084, 2000086). TLS (Transport Layer Security) is the cryptographic protocol used by HTTPS to secure HTTP communications. This confirms that the traffic is HTTPS, not plain HTTP.

Packet Details: The 'Info' column provides additional context, such as 'Application Data' for TLS packets, indicating encrypted application-layer data (typical of HTTPS). There are also HTTP packets (e.g., frame 2000088), but these are likely part of the HTTPS session (e.g., HTTP/2 over TLS, as noted by 'HTTP2').

Now, let's evaluate the options:

Option A: 'The application is running on port 443 and the HTTPS protocol.'

This is correct. The destination port 443 and the use of TLSv1.2 confirm that the application is using HTTPS. HTTPS is the standard protocol for secure web communication, and port 443 is its designated port. CNSP documentation emphasizes that HTTPS traffic on port 443 indicates a secure application-layer protocol, often used for web applications handling sensitive data.

Option B: 'The credentials have been submitted over the HTTP protocol.'

This is incorrect. HTTP typically uses port 80, but the screenshot shows traffic on port 443 with TLS, indicating HTTPS. Credentials submitted over this connection would be encrypted via HTTPS, not sent in plaintext over HTTP. CNSP highlights the security risks of HTTP for credential submission due to lack of encryption, which isn't the case here.

Option C: 'The credentials have been submitted over the HTTPS protocol.'

While this statement could be true (since HTTPS is in use, any credentials would likely be submitted securely), the question asks for the 'correct' statement based on the screenshot. The screenshot doesn't explicitly show credential submission (e.g., a POST request with form data); it only shows the protocol and port. Option A is more directly supported by the screenshot as it focuses on the application's protocol and port, not the specific action of credential submission. CNSP notes that HTTPS ensures confidentiality, but this option requires more specific evidence of credentials.

Option D: 'The application is running on port 80 and the HTTP protocol.'

This is incorrect. Port 80 is the default for HTTP, but the screenshot clearly shows port 443 and TLS, indicating HTTPS. CNSP documentation contrasts HTTP (port 80, unencrypted) with HTTPS (port 443, encrypted), making this option invalid.

Conclusion: Option A is the most accurate and comprehensive statement directly supported by the screenshot, confirming the application's use of port 443 and HTTPS. While Option C might be true in a broader context, it's less definitive without explicit evidence of credential submission in the captured packets.

Answer : A

Port 111/TCP is the default port for the RPC (Remote Procedure Call) portmapper service on Unix systems, which registers and manages RPC services.

Why A is correct: Running rpcinfo -p <hostname> queries the portmapper to list all registered RPC services, their programs, versions, and associated ports. This is a logical next step during a security audit or penetration test to identify potential vulnerabilities (e.g., NFS or NIS services). CNSP recommends this command for RPC enumeration.

Why other options are incorrect:

B . Telnet to the port to look for a banner: Telnet might connect, but RPC services don't typically provide a human-readable banner, making this less effective than rpcinfo.

C . Telnet to the port, send 'GET / HTTP/1.0' and gather information from the response: Port 111 is not an HTTP service, so an HTTP request is irrelevant and will likely fail.

D . None of the above: Incorrect, as A is a valid and recommended step.

Answer : D

The Active Directory (AD) database on Windows domain controllers contains critical directory information, stored in a specific file format.

Why D is correct: The NTDS.DIT file (NT Directory Services Directory Information Tree) is the Active Directory database file, located in C:\Windows\NTDS\ on domain controllers. It stores all AD objects (users, groups, computers) and schema data in a hierarchical structure. CNSP identifies NTDS.DIT as the key file for AD data extraction in security audits.

Why other options are incorrect:

A . NTDS.DAT: Not a valid AD database file; may be a confusion with other system files.

B . NTDS.MDB: Refers to an older Microsoft Access database format, not used for AD.

C . MSAD.MDB: Not a recognized file for AD; likely a misnomer.

Answer : D

Protocols are defined by their transport layer usage (TCP or UDP), impacting their security and performance characteristics.

Why D is correct: SSH (Secure Shell) uses TCP (port 22) for reliable, connection-oriented communication, unlike the UDP-based options. CNSP contrasts TCP and UDP protocol security.

Why other options are incorrect:

A: SNMP uses UDP (ports 161, 162) for lightweight network management.

B: NTP uses UDP (port 123) for time synchronization.

C: IKE (IPsec key exchange) uses UDP (ports 500, 4500).