
[Sep 08, 2025] CNSP PDF Questions and Testing Engine With 62 Questions
Updated Exam Engine for CNSP Exam Free Demo & 365 Day Updates
The SecOps Group CNSP Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
| Topic 10 |
|
| Topic 11 |
|
| Topic 12 |
|
| Topic 13 |
|
NEW QUESTION # 25
What ports does an MSSQL server typically use?
- A. 1433/TCP, 2433/UDP, and 1434/TCP
- B. 1533/TCP, 1434/UDP, and 2434/TCP
- C. 1433/TCP, 2433/UDP, and 3433/TCP
- D. 1433/TCP, 1434/UDP, and 1434/TCP
Answer: D
Explanation:
Microsoft SQL Server (MSSQL) relies on specific ports for its core services, as defined by Microsoft and registered with IANA:
1433/TCP: The default port for the SQL Server Database Engine. Clients connect here for querying databases (e.g., via ODBC or JDBC). It's a well-known port, making it a frequent target for attacks if exposed.
1434/UDP: Used by the SQL Server Browser Service, which listens for incoming requests and redirects clients to the correct port/instance (especially for named instances). It's critical for discovering dynamic ports when 1433 isn't used.
1434/TCP: Less commonly highlighted but used in some configurations, such as dedicated admin connections (DAC) or when the Browser Service responds over TCP for specific instances. While 1433/TCP is the primary engine port, 1434/TCP can be involved in multi-instance setups.
Technical Details:
Ports can be customized (e.g., via SQL Server Configuration Manager), but these are defaults.
Named instances often use dynamic ports (allocated from the ephemeral range), with the Browser Service (1434/UDP) guiding clients to them.
Firewalls must allow these ports for MSSQL to function externally, posing risks if not secured (e.g., brute-force attacks on 1433/TCP).
Security Implications: CNSP likely covers MSSQL port security, as vulnerabilities like SQL Slammer (2003) exploited 1434/UDP misconfigurations. Hardening includes restricting access, changing defaults, and monitoring traffic.
Why other options are incorrect:
A . 1433/TCP, 2433/UDP, 3433/TCP: 2433/UDP and 3433/TCP are not MSSQL standards; they're likely typos or unrelated ports.
C . 1433/TCP, 2433/UDP, 1434/TCP: 2433/UDP is incorrect; 1434/UDP is the Browser Service port.
D . 1533/TCP, 1434/UDP, 2434/TCP: 1533/TCP and 2434/TCP aren't associated with MSSQL; they deviate from documented defaults.
Real-World Context: Tools like netstat -an | find "1433" on Windows confirm MSSQL's port usage during audits.
NEW QUESTION # 26
Where is the system registry file stored in a Microsoft Windows Operating System?
- A. All of the above
- B. C:\Windows\System32\Config
- C. C:\Windows\debug
- D. C:\Windows\security
Answer: B
Explanation:
The Windows Registry is a hierarchical database storing configuration settings for the operating system, applications, and hardware. It's physically stored as hive files on disk, located in the directory C:\Windows\System32\Config. These files are loaded into memory at boot time and managed by the Windows kernel. Key hive files include:
SYSTEM: Contains hardware and system configuration (e.g., drivers, services).
SOFTWARE: Stores software settings.
SAM: Security Accounts Manager data (e.g., local user accounts, passwords).
SECURITY: Security policies and permissions.
DEFAULT: Default user profile settings.
USERDIFF and user-specific hives (e.g., NTUSER.DAT in C:\Users<username>) for individual profiles, though these are linked to Config indirectly.
Technical Details:
Path: C:\Windows\System32\Config is the primary location for system-wide hives. Files lack extensions (e.g., "SYSTEM" not "SYSTEM.DAT") and are backed by transaction logs (e.g., SYSTEM.LOG) for recovery.
Access: Direct file access is restricted while Windows runs, as the kernel locks them. Tools like reg save or offline forensic utilities (e.g., RegRipper) can extract them.
Backup: Copies may exist in C:\Windows\System32\config\RegBack (pre-Windows 10 1803) or repair folders (e.g., C:\Windows\Repair).
Security Implications: The registry is a prime target for attackers (e.g., persistence via Run keys) and malware (e.g., WannaCry modified registry entries). CNSP likely emphasizes securing this directory (e.g., NTFS permissions) and auditing changes (e.g., via Event Viewer, Event ID 4657). Compromising these files offline (e.g., via physical access) can extract password hashes from SAM.
Why other options are incorrect:
A . C:\Windows\debug: Used for debug logs (e.g., memory.dmp) or tools like DebugView, not registry hives. It's unrelated to core configuration storage.
C . C:\Windows\security: Contains security-related files (e.g., audit logs, policy templates), but not the registry hives themselves.
D . All of the above: Only B is correct; including A and C dilutes accuracy.
Real-World Context: Forensic analysts target C:\Windows\System32\Config during investigations (e.g., parsing SAM with Mimikatz offline).
NEW QUESTION # 27
What is the response from an open UDP port which is behind a firewall (port is open on the firewall)?
- A. No response
- B. ICMP message showing Port Unreachable
- C. A FIN Packet
- D. A SYN Packet
Answer: A
Explanation:
UDP (User Datagram Protocol), per RFC 768, is connectionless, lacking TCP's handshake or acknowledgment mechanisms. When a UDP packet reaches a port:
Closed Port: The host typically sends an ICMP "Destination Port Unreachable" (Type 3, Code 3) unless suppressed (e.g., by firewall or OS settings).
Open Port: If a service is listening (e.g., DNS on 53/UDP), it processes the packet but doesn't inherently reply unless the application protocol requires it (e.g., DNS sends a response).
Scenario: An open UDP port behind a firewall, with the firewall rule allowing traffic (e.g., permit udp any host 10.0.0.1 eq 123). The packet reaches the service, but UDP itself doesn't mandate a response. Most services (e.g., NTP, SNMP) only reply if the packet matches an expected request. In this question's generic context (no specific service), no response is the default, as the firewall permits the packet, and the open port silently accepts it without feedback.
Security Implications: This silence makes UDP ports harder to scan (e.g., Nmap assumes "open|filtered" for no response), but exposed open ports risk amplification attacks (e.g., DNS reflection). CNSP likely contrasts UDP's behavior with TCP for firewall rule crafting.
Why other options are incorrect:
A . ICMP message showing Port Unreachable: Occurs for closed ports, not open ones, unless the service explicitly rejects the packet (rare).
C . A SYN Packet: SYN is TCP-specific (handshake initiation), irrelevant to UDP.
D . A FIN Packet: FIN is TCP-specific (connection closure), not UDP.
Real-World Context: Testing UDP 53 (DNS) with dig @8.8.8.8 +udp yields a response, but generic UDP probes (e.g., nc -u) often get silence.
NEW QUESTION # 28
What kind of files are "Dotfiles" in a Linux-based architecture?
- A. Driver files
- B. Hidden files
- C. Library files
- D. System files
Answer: B
Explanation:
In Linux, file visibility is determined by naming conventions, impacting how files are listed or accessed in the file system.
Why D is correct: "Dotfiles" are files or directories with names starting with a dot (e.g., .bashrc), making them hidden by default in directory listings (e.g., ls requires -a to show them). They are commonly used for user configuration, as per CNSP's Linux security overview.
Why other options are incorrect:
A: Library files (e.g., in /lib) aren't inherently hidden.
B: Driver files (e.g., kernel modules in /lib/modules) aren't dotfiles by convention.
C: System files may or may not be hidden; "dotfiles" specifically denotes hidden status.
NEW QUESTION # 29
How many octets are there in an IPv6 address?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: D
Explanation:
An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4's 32-bit scheme, vastly expanding address space (2^128 vs. 2^32). An octet is 8 bits (1 byte). To calculate octets in IPv6:
128 bits ÷ 8 bits/octet = 16 octets.
Representation:
IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), separated by colons.
Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.
Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).
Technical Note: Your original input flagged this question's phrasing as potentially misleading, suggesting "octets" is an IPv4 term, while IPv6 uses "16-bit groups" or "hextets." While technically accurate (RFC 4291 uses "16-bit blocks"), "octets" remains a common, if informal, term in security contexts for byte-wise analysis (e.g., packet crafting). CNSP might use "octets" to test byte-level understanding, though "groups" is more precise for IPv6. Here, 16 octets (128 bits) is correct either way.
Security Implications: IPv6's larger address space complicates scanning (e.g., Nmap struggles with 2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP). Understanding its structure aids in firewall rules and IDS signatures.
Why other options are incorrect:
B . 32: Implies 256 bits (32 × 8), far exceeding IPv6's 128-bit design.
C . 64: Suggests 512 bits (64 × 8), unrelated to IPv6 or any IP standard.
D . 128: Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets.
Real-World Context: IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw data inspection.
NEW QUESTION # 30
Which built-in Windows utility can be used to verify the validity of a Kerberos ticket?
- A. Netsh
- B. Kerbtray
- C. Klist
- D. Kerberos Manager
Answer: C
Explanation:
Kerberos is the default authentication protocol in Windows Active Directory environments, and tickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.
Why A is correct: Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.
Why other options are incorrect:
B: Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.
C: Netsh manages network configurations, not Kerberos tickets.
D: "Kerberos Manager" is not a recognized built-in Windows utility; it's a fictitious name.
NEW QUESTION # 31
The application is showing a TLS error message as a result of a website administrator failing to timely renew the TLS certificate. But upon deeper analysis, it appears that the problem is brought on by the expiration of the TLS certificate. Which of the following statements is correct?
- A. The communication between the browser and the server is still over TLS.
- B. The communication between the browser and the server is now no longer over TLS.
Answer: B
Explanation:
TLS (Transport Layer Security) secures communication (e.g., HTTPS) using certificates, per RFC 8446. A certificate includes:
Validity Period: Start and end dates (e.g., "Not After: March 8, 2025").
Purpose: Authenticates the server and encrypts the session.
Scenario: An expired TLS certificate (e.g., past "Not After" date). Modern browsers (e.g., Chrome, Firefox) validate certificates during the handshake:
ClientHello: Browser initiates TLS.
ServerHello: Server sends its certificate.
Validation: Browser checks expiration, CA trust, etc.
If expired, browsers reject the handshake, displaying errors (e.g., "NET::ERR_CERT_DATE_INVALID"). No session key is negotiated, and communication doesn't proceed over TLS. Users may bypass warnings (e.g., "Advanced > Proceed"), but this is unencrypted or uses a fallback (not standard TLS), breaking security guarantees.
Security Implications: Expired certificates expose sites to MITM attacks, as trust is lost. CNSP likely emphasizes certificate management (e.g., automation with Let's Encrypt) to avoid this.
Why other options are incorrect:
B . The communication is still over TLS: False; an expired certificate halts the TLS handshake in compliant browsers. Legacy systems might negotiate insecurely, but this isn't "TLS" per standards.
Real-World Context: The 2019 Equifax breach partially stemmed from expired certificates missing vulnerabilities.
NEW QUESTION # 32
Which of the following attacks are associated with an ICMP protocol?
- A. ICMP flooding
- B. All of the following
- C. Ping of death
- D. Smurf attack
Answer: B
Explanation:
ICMP (Internet Control Message Protocol), per RFC 792, handles diagnostics (e.g., ping) and errors in IP networks. It's exploitable in:
A . Ping of Death:
Method: Sends oversized ICMP Echo Request packets (>65,535 bytes) via fragmentation. Reassembly overflows buffers, crashing older systems (e.g., Windows 95).
Fix: Modern OSes cap packet size (e.g., ping -s 65500).
B . Smurf Attack:
Method: Spoofs ICMP Echo Requests to a network's broadcast address (e.g., 192.168.255.255). All hosts reply, flooding the victim.
Amplification: 100 hosts = 100x traffic.
C . ICMP Flooding:
Method: Overwhelms a target with ICMP Echo Requests (e.g., ping -f), consuming bandwidth/CPU.
Variant: BlackNurse attack targets firewalls.
Technical Details:
ICMP Type 8 (Echo Request), Type 0 (Echo Reply) are key.
Mitigation: Rate-limit ICMP, disable broadcasts (e.g., no ip directed-broadcast).
Security Implications: ICMP attacks are DoS vectors. CNSP likely teaches filtering (e.g., iptables -p icmp -j DROP) balanced with diagnostics need.
Why other options are incorrect:
A, B, C individually: All are ICMP-based; D is comprehensive.
Real-World Context: Smurf attacks peaked in the 1990s; modern routers block them by default.
NEW QUESTION # 33
On a Microsoft Windows Operating System, what does the following command do?
net localgroup administrators
- A. List domain admin users for the current domain
- B. Displays the local administrators group on the computer
Answer: B
Explanation:
The net command in Windows is a legacy tool for managing users, groups, and network resources. The subcommand net localgroup <groupname> displays information about a specified local group on the machine where it's run. Specifically:
net localgroup administrators lists all members (users and groups) of the local Administrators group on the current computer.
The local Administrators group grants elevated privileges (e.g., installing software, modifying system files) on that machine only, not domain-wide.
Output Example:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer Members
------------------------------------------------------------------------------- Administrator Domain Admins The command completed successfully.
Technical Details:
Local groups are stored in the Security Accounts Manager (SAM) database (e.g., C:\Windows\System32\config\SAM).
This differs from domain groups (e.g., Domain Admins), managed via Active Directory.
Security Implications: Enumerating local admins is a reconnaissance step in penetration testing (e.g., to escalate privileges). CNSP likely covers this command for auditing and securing Windows systems.
Why other options are incorrect:
A . List domain admin users for the current domain: This requires net group "Domain Admins" /domain, which queries the domain controller, not the local SAM. net localgroup is strictly local.
Real-World Context: Attackers use this command post-compromise (e.g., via PsExec) to identify privilege escalation targets.
NEW QUESTION # 34
Which of the following is true for SNMP?
A) The default community string for read-only access is "public."
B) The default community string for read/write access is "private."
- A. Only A
- B. Only B
- C. None of the above
- D. Both A and B
Answer: D
Explanation:
SNMP community strings authenticate access, with defaults posing security risks if unchanged.
Why C is correct:
A: "public" is the standard read-only default, per SNMP specs and CNSP.
B: "private" is the standard read-write default, also per SNMP and CNSP.
Both are true, making C the answer.
Why other options are incorrect:
1, 2: Exclude one true statement each.
4: Both statements are true, so "none" is wrong.
NEW QUESTION # 35
The Active Directory database file stores the data and schema information for the Active Directory database on domain controllers in Microsoft Windows operating systems. Which of the following file is the Active Directory database file?
- A. MSAD.MDB
- B. NTDS.DAT
- C. NTDS.MDB
- D. NTDS.DIT
Answer: D
Explanation:
The Active Directory (AD) database on Windows domain controllers contains critical directory information, stored in a specific file format.
Why D is correct: The NTDS.DIT file (NT Directory Services Directory Information Tree) is the Active Directory database file, located in C:\Windows\NTDS\ on domain controllers. It stores all AD objects (users, groups, computers) and schema data in a hierarchical structure. CNSP identifies NTDS.DIT as the key file for AD data extraction in security audits.
Why other options are incorrect:
A . NTDS.DAT: Not a valid AD database file; may be a confusion with other system files.
B . NTDS.MDB: Refers to an older Microsoft Access database format, not used for AD.
C . MSAD.MDB: Not a recognized file for AD; likely a misnomer.
NEW QUESTION # 36
Which of the following is a valid DNS record type?
- A. TXT record
- B. SRV record
- C. NAPTR record
- D. All of the above
Answer: D
Explanation:
DNS (Domain Name System) records define how domain names are mapped to various types of data, each serving a specific purpose in network operations. The question asks for valid DNS record types, and all listed options are recognized.
Why D is correct:
A . NAPTR record: The Naming Authority Pointer (NAPTR) record is used for service discovery and mapping domain names to services, protocols, and ports (e.g., in SIP or ENUM systems).
B . SRV record: The Service (SRV) record specifies the hostname and port for specific services (e.g., LDAP, XMPP), aiding in service location.
C . TXT record: The Text (TXT) record stores arbitrary text data, often for SPF, DKIM, or domain verification.
All are valid DNS record types per RFC standards and CNSP documentation, making "All of the above" the correct answer.
Why other options are incomplete: A, B, or C alone exclude other valid types listed, so D is the most comprehensive response.
NEW QUESTION # 37
What will be the subnet mask for 192.168.0.1/18?
- A. 255.255.255.0
- B. 255.225.225.0
- C. 255.225.192.0
- D. 255.255.192.0
Answer: D
Explanation:
An IP address with a /18 prefix (CIDR notation) indicates 18 network bits in the subnet mask, leaving 14 host bits (32 total bits - 18). For IPv4 (e.g., 192.168.0.1):
Binary Mask: First 18 bits are 1s, rest 0s.
1st octet: 11111111 (255)
2nd octet: 11111111 (255)
3rd octet: 11000000 (192)
4th octet: 00000000 (0)
Decimal: 255.255.192.0
Calculation:
Bits: /18 = 2^14 hosts (16,384), minus 2 (network/broadcast) = 16,382 usable.
Range: 192.168.0.0-192.168.63.255 (3rd octet: 0-63, as 192 = 11000000 covers 6 bits).
Technical Details:
Subnet masks align on octet boundaries or mid-octet (e.g., 192 = 2^7 + 2^6).
Contrast: /24 = 255.255.255.0 (256 hosts), /16 = 255.255.0.0 (65,536 hosts).
Security Implications: Larger subnets (e.g., /18) increase broadcast domains, risking amplification attacks. CNSP likely teaches subnetting for segmentation (e.g., VLANs).
Why other options are incorrect:
A . 255.255.255.0: /24 (8 host bits), not /18.
B . 255.225.225.0: Invalid mask (225 = 11100001, non-contiguous 1s).
D . 255.225.192.0: Invalid (225 breaks binary sequence).
Real-World Context: Subnetting 192.168.0.0/18 isolates departments in enterprise networks.
NEW QUESTION # 38
Which of the following services use TCP protocol?
- A. IKE
- B. NTP
- C. SNMP
- D. HTTP
Answer: D
Explanation:
TCP (Transmission Control Protocol) ensures reliable, ordered data delivery via a connection-oriented handshake, contrasting with UDP's lightweight, connectionless approach. Analyzing each service:
C . HTTP (Hypertext Transfer Protocol): Uses TCP (port 80) for web traffic. TCP's reliability ensures HTML, images, etc., arrive intact. HTTPS (TCP 443) extends this with TLS. RFC 2616 mandates TCP.
A . SNMP (Simple Network Management Protocol): Defaults to UDP (port 161) for monitoring devices. UDP's speed suits its lightweight queries, though TCP variants exist (rarely used).
B . NTP (Network Time Protocol): Uses UDP (port 123) per RFC 5905. UDP minimizes latency for time sync, tolerating occasional packet loss.
D . IKE (Internet Key Exchange): Part of IPsec, uses UDP (port 500) per RFC 7296. UDP suits its negotiation phase; TCP isn't standard.
Security Implications: TCP services like HTTP are more prone to state-based attacks (e.g., SYN floods) than UDP counterparts. CNSP likely contrasts TCP vs. UDP in protocol analysis.
Why other options are incorrect:
A, B, D: All default to UDP for efficiency, not TCP's reliability.
Real-World Context: Firewalls prioritize TCP 80/443 rules for HTTP/HTTPS, while UDP 123 is opened for NTP servers.
NEW QUESTION # 39
Which command will perform a DNS zone transfer of the domain "victim.com" from the nameserver at 10.0.0.1?
- A. dig @10.0.0.1 victim.com afxr
- B. dig @10.0.0.1 victim.com axrfr
- C. dig @10.0.0.1 victim.com arfxr
- D. dig @10.0.0.1 victim.com axfr
Answer: D
Explanation:
A DNS zone transfer replicates an entire DNS zone (a collection of DNS records for a domain) from a primary nameserver to a secondary one, typically for redundancy or load balancing. The AXFR (Authoritative Full Zone Transfer) query type, defined in RFC 1035, facilitates this process. The dig (Domain Information Groper) tool, a staple in Linux/Unix environments, is used to query DNS servers. The correct syntax is:
dig @<nameserver> <domain> axfr
Here, dig @10.0.0.1 victim.com axfr instructs dig to request a zone transfer for "victim.com" from the nameserver at 10.0.0.1. The @ symbol specifies the target server, overriding the system's default resolver.
Technical Details:
The AXFR query is sent over TCP (port 53), not UDP, due to the potentially large size of zone data, which exceeds UDP's typical 512-byte limit (pre-EDNS0).
Successful execution requires the nameserver to permit zone transfers from the querying IP, often restricted to trusted secondaries via Access Control Lists (ACLs) for security. If restricted, the server responds with a "REFUSED" error.
Security Implications: Zone transfers expose all DNS records (e.g., A, MX, NS), making them a reconnaissance goldmine for attackers if misconfigured. CNSP likely emphasizes securing DNS servers against unauthorized AXFR requests, using tools like dig to test vulnerabilities.
Why other options are incorrect:
A . dig @10.0.0.1 victim.com axrfr: "axrfr" is a typographical error. The correct query type is "axfr." Executing this would result in a syntax error or an unrecognized query type response from dig.
B . dig @10.0.0.1 victim.com afxr: "afxr" is another typo, not a valid DNS query type per RFC 1035. dig would fail to interpret this, likely outputting an error like "unknown query type." C . dig @10.0.0.1 victim.com arfxr: "arfxr" is also invalid, a jumbled version of "axfr." It holds no meaning in DNS protocol standards and would fail similarly.
Real-World Context: Penetration testers use dig ... axfr to identify misconfigured DNS servers. For example, dig @ns1.example.com example.com axfr might reveal subdomains or internal IPs if not locked down.
NEW QUESTION # 40
How would you establish a null session to a Windows host from a Windows command prompt?
- A. net use \hostname\ipc$ "" /u:NULL
- B. net use \hostname\c$ "" /u:""
- C. net use \hostname\ipc$ "" /u:""
- D. net use \hostname\c$ "" /u:NULL
Answer: C
Explanation:
A null session in Windows is an unauthenticated connection to certain administrative shares, historically used for system enumeration. The net use command connects to a share, and the IPC$ (Inter-Process Communication) share is the standard target for null sessions, allowing access without credentials when configured to permit it.
Why C is correct: The command net use \\hostname\ipc$ "" /u:"" specifies the IPC$ share and uses empty strings for the password (first "") and username (/u:""), establishing a null session. This syntax is correct for older Windows systems (e.g., XP or 2003) where null sessions were more permissive, a topic covered in CNSP for legacy system vulnerabilities.
Why other options are incorrect:
A: Targets the c$ share (not typically used for null sessions) and uses /u:NULL, which is invalid syntax; the username must be an empty string ("").
B: Targets c$ instead of ipc$, making it incorrect for null session establishment.
D: Uses ipc$ correctly but specifies /u:NULL, which is not the proper way to denote an empty username.
NEW QUESTION # 41
Which of the following algorithms could be used to negotiate a shared encryption key?
- A. Triple-DES
- B. Diffie-Hellman
- C. AES
- D. SHA1
Answer: B
Explanation:
Negotiating a shared encryption key involves a process where two parties agree on a secret key over an insecure channel without directly transmitting it. This is distinct from encryption or hashing algorithms, which serve different purposes.
Why C is correct: The Diffie-Hellman (DH) algorithm is a key exchange protocol that enables two parties to establish a shared secret key using mathematical operations (e.g., modular exponentiation). It's widely used in protocols like TLS and IPsec, as noted in CNSP for secure key negotiation.
Why other options are incorrect:
A: Triple-DES is a symmetric encryption algorithm for data encryption, not key negotiation.
B: SHA1 is a hash function for integrity, not key exchange.
D: AES is a symmetric encryption algorithm, not a key exchange mechanism.
NEW QUESTION # 42
Which of the following techniques can be used to bypass network segmentation during infrastructure penetration testing?
- A. VLAN hopping
- B. DNS tunneling
- C. All of the above
- D. Covert channels
Answer: C
Explanation:
Network segmentation isolates network zones for security, but certain techniques can circumvent these controls, a focus of CNSP penetration testing.
Why D is correct:
A: DNS tunneling encodes data in DNS queries, bypassing segmentation via legitimate DNS traffic.
B: VLAN hopping exploits switch misconfigurations (e.g., double tagging) to access other VLANs.
C: Covert channels use hidden communication paths (e.g., timing channels) to evade segmentation.
All are valid techniques per CNSP for testing segmentation controls.
Why other options are incomplete: A, B, or C alone exclude other viable methods, making D the comprehensive answer.
NEW QUESTION # 43
In the context of a Unix-based system, where does a daemon process execute in the memory?
- A. Kernel space
- B. User space
Answer: B
Explanation:
In Unix-based systems, memory is divided into two primary regions: kernel space and user space, each serving distinct purposes for process execution and system stability.
Why B is correct: Daemon processes are background services (e.g., sshd, cron) that run with elevated privileges but operate in user space. User space is the memory area allocated for user applications and processes, isolated from kernel space to prevent direct hardware access or system crashes. CNSP highlights that daemons run in user space to maintain system integrity, interacting with the kernel via system calls.
Why other option is incorrect:
A . Kernel space: Kernel space is reserved for the operating system kernel and device drivers, which have unrestricted access to hardware. Running daemons in kernel space would pose significant security and stability risks, and it is not the standard practice in Unix systems.
NEW QUESTION # 44
Which of the following protocols is not vulnerable to address spoofing attacks if implemented correctly?
- A. UDP
- B. ARP
- C. IP
- D. TCP
Answer: D
Explanation:
Address spoofing fakes a source address (e.g., IP, MAC) to impersonate or amplify attacks. Analyzing protocol resilience:
C . TCP (Transmission Control Protocol):
Mechanism: Three-way handshake (SYN, SYN-ACK, ACK) verifies both endpoints.
Client SYN (Seq=X), Server SYN-ACK (Seq=Y, Ack=X+1), Client ACK (Ack=Y+1).
Spoofing Resistance: Spoofer must predict the server's sequence number (randomized in modern stacks) and receive SYN-ACK, impractical without session hijacking or MITM.
Correct Implementation: RFC 793-compliant, with anti-spoofing (e.g., Linux tcp_syncookies).
A . UDP:
Connectionless (RFC 768), no handshake. Spoofed packets (e.g., source IP 1.2.3.4) are accepted if port is open, enabling reflection attacks (e.g., DNS amplification).
B . ARP (Address Resolution Protocol):
No authentication (RFC 826). Spoofed ARP replies (e.g., fake MAC for gateway IP) poison caches, enabling MITM (e.g., arpspoof).
D . IP:
No inherent validation at Layer 3 (RFC 791). Spoofed source IPs pass unless filtered (e.g., ingress filtering, RFC 2827).
Security Implications: TCP's handshake makes spoofing harder, though not impossible (e.g., blind spoofing with sequence prediction, mitigated since BSD 4.4). CNSP likely contrasts this with UDP/IP's vulnerabilities in DDoS contexts.
Why other options are incorrect:
A, B, D: Lack handshake or authentication, inherently spoofable.
Real-World Context: TCP spoofing was viable pre-1990s (e.g., Mitnick attack); modern randomization thwarts it.
NEW QUESTION # 45
What is the response from a closed TCP port which is behind a firewall?
- A. A SYN and an ACK packet
- B. No response
- C. RST and an ACK packet
- D. A FIN and an ACK packet
Answer: B
Explanation:
TCP (Transmission Control Protocol) uses a three-way handshake (SYN, SYN-ACK, ACK) to establish connections, as per RFC 793. When a client sends a SYN packet to a port:
Open Port: The server responds with SYN-ACK.
Closed Port (no firewall): The server sends an RST (Reset) packet, often with ACK, to terminate the attempt immediately.
However, when a firewall is present, its configuration dictates the response. Modern firewalls typically operate in stealth mode, using a "drop" rule for closed ports rather than a "reject" rule:
Drop: Silently discards the packet without replying, resulting in no response. The client experiences a timeout (e.g., 30 seconds), as no feedback is provided.
Reject: Sends an RST or ICMP "Port Unreachable," but this is less common for security reasons, as it confirms the firewall's presence.
For a closed TCP port behind a firewall, "no response" (drop) is the standard behavior in secure configurations, minimizing information leakage to attackers. This aligns with CNSP's focus on firewall best practices to obscure network topology during port scanning (e.g., with Nmap).
Why other options are incorrect:
A . A FIN and an ACK packet: FIN-ACK is used to close an established TCP connection gracefully (e.g., after data transfer), not to respond to an initial SYN on a closed port.
B . RST and an ACK packet: RST-ACK is the host's response to a closed port without a firewall. A firewall's drop rule overrides this by silently discarding the packet.
C . A SYN and an ACK packet: SYN-ACK indicates an open port accepting a connection, the opposite of a closed port scenario.
Real-World Context: Tools like Nmap interpret "no response" as "filtered" (firewall likely present) vs. "closed" (RST received), aiding in firewall detection.
NEW QUESTION # 46
......
Exam Passing Guarantee CNSP Exam with Accurate Quastions: https://www.dumps4pdf.com/CNSP-valid-braindumps.html
Test Engine to Practice Test for CNSP Valid and Updated Dumps: https://drive.google.com/open?id=1JAqELiXE3ltjE0XTiuWERlTdtIiajxks