The SecOps Group CNSP Certified Network Security Practitioner (CNSP) Exam Practice Test

Negotiating a shared encryption key involves a process where two parties agree on a secret key over an insecure channel without directly transmitting it. This is distinct from encryption or hashing algorithms, which serve different purposes.

Why C is correct:The Diffie-Hellman (DH) algorithm is a key exchange protocol that enables two parties to establish a shared secret key using mathematical operations (e.g., modular exponentiation). It’s widely used in protocols like TLS and IPsec, as noted in CNSP for secure key negotiation.

Why other options are incorrect:

A:Triple-DES is a symmetric encryption algorithm for data encryption, not key negotiation.

B:SHA1 is a hash function for integrity, not key exchange.

D:AES is a symmetric encryption algorithm, not a key exchange mechanism.

References:CNSP "Cryptographic Protocols" (Section on Key Exchange) describes Diffie-Hellman as the standard for shared key negotiation, contrasting it with encryption algorithms.

In Linux/Unix, theSUID (Set User ID)bit allows a program to execute with the owner’s permissions, typically root, rather than the caller’s. It’s denoted by an s in the user execute field (e.g., -rwsr-xr-x). Common SUID programs perform privileged tasks requiring temporary elevation.

Analysis:

C. /usr/bin/passwd:

Purpose: Updates user passwords in /etc/shadow (root-owned, 0600 perms).

Permissions: Typically -rwsr-xr-x, owned by root. The SUID bit lets non-root users modify shadow securely.

Command: ls -l /usr/bin/passwd confirms SUID (s in user execute).

A. /bin/ls:

Purpose: Lists directory contents, no privileged access needed.

Permissions: -rwxr-xr-x (no SUID).Runs as the calling user.

B. /usr/bin/curl:

Purpose: Transfers data over HTTP/FTP, no root privileges required by default.

Permissions: -rwxr-xr-x (no SUID).

Technical Details:

SUID Bit: Set via chmod u+s or chmod 4755.

Security: SUID binaries are audited (e.g., find / -perm -u=s) due to escalation risks if writable or poorly coded (e.g., buffer overflows).

Security Implications:CNSP likely highlights SUID as an attack vector (e.g., CVE-1996-0095 exploited passwd flaws). Hardening removes unnecessary SUID bits.

Why other options are incorrect:

A, B:Lack SUID; no privileged operations.

D:Incorrect, as /usr/bin/passwd is a SUID example.

Real-World Context:SUID on /bin/su or /usr/bin/sudo similarly enables privilege escalation, often targeted in exploits.References:CNSP Official Documentation (Linux Security); Linux File Permissions Guide.

TheManagement Information Base (MIB)is a structured database defining manageable objects (e.g., CPU usage, interface status) in a network device. It’s part of theSNMP (Simple Network Management Protocol)framework, per RFC 1157, used for monitoring and managing network devices (e.g., routers, switches).

SNMP Mechanics:

MIB Structure:Hierarchical, with Object Identifiers (OIDs) like 1.3.6.1.2.1.1.1.0 (sysDescr).

Versions:SNMPv1, v2c (community strings), v3 (encrypted).

Ports:UDP 161 (agent), 162 (traps).

Operation:Agents expose MIB data; managers (e.g., Nagios) query it via GET/SET commands.

MIB files (e.g., IF-MIB, HOST-RESOURCES-MIB) are vendor-specific or standardized, parsed by SNMP tools (e.g., snmpwalk). CNSP likely covers SNMP for network monitoring and securing it against enumeration (e.g., weak community strings like "public").

Why other options are incorrect:

A. SMTP (Simple Mail Transfer Protocol):Email delivery (TCP 25), unrelated to MIB or device management.

C. NTP (Network Time Protocol):Time synchronization (UDP 123), not MIB-related.

D. TACACS (Terminal Access Controller Access-Control System):Authentication/authorization (TCP 49), not MIB management.

Real-World Context:SNMP misconfiguration led to the 2018 Cisco switch exploits via exposed MIB data.References:CNSP Official Study Guide (Network Monitoring Protocols); RFC 1157 (SNMP).

The net localgroup command manages local group memberships on Windows systems, with syntax dictating its action.

Why B is correct:net localgroup Sales Sales_domain /add adds the domain group Sales_domain to the local group Sales, granting its members local group privileges. CNSP covers this for privilege escalation testing.

Why other options are incorrect:

A:Displaying users requires net localgroup Sales without /add.

C:Adding a user requires a username, not a group name like Sales_domain.

D:The reverse (local to domain) uses net group, not net localgroup.

References:CNSP "Windows Group Management" (Section on net Commands) explains net localgroup for adding domain groups.

SNMP community strings authenticate access, with defaults posing security risks if unchanged.

WhyCis correct:

A:"public" is the standard read-only default, per SNMP specs and CNSP.

B:"private" is the standard read-write default, also per SNMP and CNSP.Both are true, makingCthe answer.

Why other options are incorrect:

1, 2:Exclude one true statement each.

4:Both statements are true, so "none" is wrong.

References:CNSP "SNMP Security" (Section on Defaults) confirms "public" and "private" as standard community strings.

An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4’s 32-bit scheme, vastly expanding address space (2^128 vs. 2^32). Anoctetis 8 bits (1 byte). To calculate octets in IPv6:

128 bits ÷ 8 bits/octet =16 octets.

Representation:

IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), separated by colons.

Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.

Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).

Technical Note:Your original input flagged this question’s phrasing as potentially misleading, suggesting "octets" is an IPv4 term, while IPv6 uses "16-bit groups" or "hextets." While technically accurate (RFC 4291 uses "16-bit blocks"), "octets" remains a common, if informal, term in security contexts for byte-wise analysis (e.g., packet crafting). CNSP might use "octets" to test byte-level understanding, though "groups" is more precise for IPv6. Here, 16 octets (128 bits) is correct either way.

Security Implications:IPv6’s larger address space complicates scanning (e.g., Nmap struggles with 2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP). Understanding its structure aids in firewall rules and IDS signatures.

Why other options are incorrect:

B. 32:Implies 256 bits (32 × 8), far exceeding IPv6’s 128-bit design.

C. 64:Suggests 512 bits (64 × 8), unrelated to IPv6 or any IP standard.

D. 128:Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets.

Real-World Context:IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw data inspection.References:CNSP Official Documentation (IPv6 Networking); RFC 4291 (IP Version 6 Addressing Architecture).

SSL/TLS protocols secure network communication, but older versions have vulnerabilities:

SSLv2 (1995):Weak ciphers, no handshake integrity (e.g., MITM via DROWN attack, CVE-2016-0800). Deprecated by RFC 6176 (2011).

SSLv3 (1996):Vulnerable to POODLE (CVE-2014-3566), weak block ciphers (e.g., RC4). Deprecated by RFC 7568 (2015).

TLSv1.0 (1999, RFC 2246):Inherits SSLv3 flaws (e.g., BEAST, CVE-2011-3389), weak CBC ciphers. Deprecated by PCI DSS (2018) and RFC 8996 (2021).

TLSv1.1 (2006, RFC 4346):Improved over 1.0 but lacks modern cipher suites (e.g., AEAD). Deprecated with 1.0 by RFC 8996.

TLSv1.2 (2008, RFC 5246):Secure with strong ciphers (e.g., AES-GCM), widely used today.

TLSv1.3 (2018, RFC 8446):Latest, removes legacy weaknesses, mandatory forward secrecy.

Answer:C (A and B)—SSLv2, SSLv3, TLSv1.0, and TLSv1.1 are unsafe due to exploitable flaws. TLSv1.2 and 1.3 remain secure. CNSP likely aligns with IETF/PCI standards, mandating modern versions.

Why other options are incorrect:

A:Correct but incomplete without B.

B:Correct but incomplete without A.

D:Incorrectly includes TLSv1.2 and 1.3, which are secure and recommended.

Real-World Context:POODLE forced mass SSLv3 disablement in 2014; TLS 1.0/1.1 deprecation hit legacy systems in 2021.References:CNSP Official Documentation (Cryptographic Protocols); RFC 8996 (TLS Deprecation).

TCP (Transmission Control Protocol) ensures reliable, ordered data delivery via a connection-oriented handshake, contrasting with UDP’s lightweight, connectionless approach. Analyzing each service:

C. HTTP (Hypertext Transfer Protocol):Uses TCP (port 80) for web traffic. TCP’s reliability ensures HTML, images, etc., arrive intact. HTTPS (TCP 443) extends this with TLS. RFC 2616 mandates TCP.

A. SNMP (Simple Network Management Protocol):Defaults to UDP (port 161) for monitoring devices. UDP’s speed suits its lightweight queries, though TCP variants exist (rarely used).

B. NTP (Network Time Protocol):Uses UDP (port 123) per RFC 5905. UDP minimizes latency for time sync, tolerating occasional packet loss.

D. IKE (Internet Key Exchange):Part of IPsec, uses UDP (port 500) per RFC 7296. UDP suits its negotiation phase; TCP isn’t standard.

Security Implications:TCP services like HTTP are more prone to state-based attacks (e.g., SYN floods) than UDP counterparts. CNSP likely contrasts TCP vs. UDP in protocol analysis.

Why other options are incorrect:

A, B, D:All default to UDP for efficiency, not TCP’s reliability.

Real-World Context:Firewalls prioritize TCP 80/443 rules for HTTP/HTTPS, while UDP 123 is opened for NTP servers.References:CNSP Official Study Guide (Network Protocols); RFC 2616 (HTTP), RFC 1155 (SNMP).

In Linux, theSGID (Set Group ID)bit alters execution or directory behavior:

On executables: Runs with the group owner’s permissions (e.g., s in group execute position).

On directories: New files inherit the directory’s group ownership.

Notation: s in group execute field (e.g., -rwxr-sr-x), or S if no execute (e.g., -rwxr-Sr-x).

Analysis:

-rwxr-sr-x (myfile): User: rwx, Group: r-s (SGID), Others: r-x. The s in group execute confirms SGID.

-rwsr-xr-x (myprogram): User: rws (SUID), Group: r-x, Others: r-x. The s is in user execute, not group—no SGID.

-rw-r--r-s (anotherfile): User: rw-, Group: r--, Others: r-s. The s is in others execute, but no x exists, rendering it meaningless (not SGID; could be a typo or sticky bit misapplied).

Security Implications:SGID executables (e.g., /usr/bin/wall) or directories (e.g., /var/local) manage group access. Misuse risks privilege escalation. CNSP likely teaches auditing with find / -perm -g=s.

Why other options are incorrect:

B:SUID, not SGID.

C:No valid SGID; s in others is irrelevant without execute.

D:Only A has SGID.

Real-World Context:SGID on /var/mail ensures mail files inherit the mail group.References:CNSP Official Study Guide (Linux Permissions); Linux File System Documentation.

The screenshot shows an email labeled "B" with the subject "Verify your email address" purportedly from Apple. To determine if this is a phishing email, we need to analyze its content and characteristics against common phishing indicators as outlined in CNSP documentation. Since option A is not provided in the screenshot, we will evaluate email B and infer the context for A.

Analysis of Email B:

Sender and Branding:The email claims to be from "Apple Support" and includes an Apple logo, which is a common tactic to establish trust. However, phishing emails often impersonate legitimate brands like Apple to deceive users.

Subject and Content:The subject "Verify your email address" and the body requesting the user to verify their email by clicking a link ("Verify Your Email") are typical of phishing attempts. Legitimate companies like Apple may send verification emails, but the tone and context here raise suspicion.

Link Presence:The email contains a clickable link ("Verify Your Email") that is purportedly for email verification. The screenshot does not show the URL, but phishing emails often include malicious links that lead to fake login pages to steal credentials. CNSP emphasizes that unsolicited requests to click links for verification are a red flag.

Urgency and Vague Instructions:The email includes a statement, "If you did not make this change or believe an unauthorized person has accessed your account, click here to cancel and secure your account." This creates a sense of urgency, a common phishing tactic to prompt immediate action without critical thinking.

Generic Greeting:The email starts with "Dear User," a generic greeting often used in phishing emails. Legitimate companies like Apple typically personalize emails with the user’s name.

Suspicious Elements:The email mentions "your Apple ID (example@icloud.com)," which is a placeholder rather than a specific email address, further indicating a mass phishing campaign rather than a targeted, legitimate communication.

Phishing Indicators (per CNSP):CNSP documentation on phishing identification lists several red flags:

Unsolicited requests for verification or account updates.

Generic greetings (e.g., "Dear User" instead of a personalized name).

Presence of links that may lead to malicious sites (not verifiable in the screenshot but implied).

Urgency or threats (e.g., "click here to cancel and secure your account").

Impersonation of trusted brands (e.g., Apple).Email B exhibits multiple indicators: the generic greeting, unsolicited verification request, urgent call to action, and impersonation of Apple.

Option A Context:Since the screenshot only shows email B, and the correct answer is "Only B," we can infer that email A (not shown) does not exhibit phishing characteristics. For example, A might be a legitimate email from Apple with proper personalization, no suspicious links, or a different context (e.g., a purchase confirmation rather than a verification request).

Evaluation of Options:

1. Only A:Incorrect, as email A is not shown, and the correct answer indicates B asthe phishing email.

2. Only B:Correct. Email B shows clear phishing characteristics, such as impersonation, a generic greeting, an unsolicited verification link, and urgency, aligning with CNSP’s phishing criteria.

3. Both A and B:Incorrect, as A is implied to be non-phishing based on the correct answer.

4. None of the above:Incorrect, as B is a phishing email.

Conclusion:Email B is a phishing email due to its impersonation of Apple, generic greeting, unsolicited verification request with a link, and use of urgency to prompt action. Since A is not shown but implied to be non-phishing, the correct answer is "Only B."

References:CNSP "Social Engineering Attacks" (Section on Phishing Identification) lists key phishing indicators such as impersonation, generic greetings, unsolicited links, and urgency, all of which are present in email B. The section also contrasts phishing emails with legitimate communications, emphasizing personalization and context as differentiators.

DDoS (Distributed Denial of Service) attacks aim to overwhelm a target’s resources with excessive traffic, disrupting availability, whereas other attack types target different goals.

Why D is correct:Brute force attacks focus on guessing credentials (e.g., passwords) to gain unauthorized access, not on denying service. CNSP classifies it as an authentication attack, not a DDoS method.

Why other options are incorrect:

A:SYN Flood exhausts TCP connection resources, a classic DDoS attack.

B:NTP Amplification leverages amplified responses to flood targets, a DDoS technique.

C:UDP Flood overwhelms a system with UDP packets, another DDoS method.

References:CNSP "DDoS Attack Types" (Section on Attack Classification) excludes brute force from DDoS categories, listing SYN, NTP, and UDP floods as examples.

TCP uses a structured handshake, and its response to a connection attempt on a closed port follows a specific protocol when unobstructed by a firewall.

Why C is correct:A closed TCP port responds with a RST (Reset) and ACK (Acknowledgment) packet to terminate the connection attempt immediately. CNSP highlights this as a key scanning indicator.

Why other options are incorrect:

A:ICMP Port Unreachable is for UDP, not TCP.

B:FIN/ACK is for closing active connections, not rejecting new ones.

D:SYN/ACK indicates an open port during the TCP handshake.

References:CNSP "TCP Scanning" (Section on Port Responses) details RST/ACK as the standard closed-port response.

In Linux, password hashes are stored in a secure file to protect user authentication data. The evolution of Linux security practices moved password storage from plaintext or weakly protected files to a more secure location.

Why C is correct:The /etc/shadow file is the standard location for storing password hashes in modern Linux systems. This file is readable only by the root user, enhancing security by restricting access. It contains encrypted password hashes (typically using algorithms like SHA-512), along with user details such as password expiration policies. CNSP documentation on Linux security emphasizes /etc/shadow as the authoritative source for password hashes, replacing older methods.

Why other options are incorrect:

A. /etc/passwd:Historically, /etc/passwd stored passwords in plaintext or weakly hashed forms (e.g., using DES), but modern systems use it only for user account information (e.g., UID, GID, home directory) and reference /etc/shadow for hashes.

B. /etc/password:This is not a valid file in the Linux file system; it appears to be a typographical error or misunderstanding, with no recognized role in password storage.

D. /usr/bin/shadow:/usr/bin contains executable binaries, not configuration or data files like password hashes. /etc/shadow is the correct path.

References:CNSP "Linux Authentication Mechanisms" (Section on Password Storage) details the transition to /etc/shadow for enhanced security and contrasts it with /etc/passwd.

Network segmentation isolates network zones for security, but certain techniques can circumvent these controls, a focus of CNSP penetration testing.

Why D is correct:

A:DNS tunneling encodes data in DNS queries, bypassing segmentation via legitimate DNS traffic.

B:VLAN hopping exploits switch misconfigurations (e.g., double tagging) to access other VLANs.

C:Covert channels use hidden communication paths (e.g., timing channels) to evade segmentation.All are valid techniques per CNSP for testing segmentation controls.

Why other options are incomplete:A, B, or C alone exclude other viable methods, making D the comprehensive answer.

References:CNSP "Penetration Testing Techniques" (Section on Network Segmentation Bypass) lists DNS tunneling, VLAN hopping, and covert channels as effective methods.

The Windows Registry is a hierarchical database storing configuration settings for the operating system, applications, and hardware. It’s physically stored ashive fileson disk, located in the directoryC:\Windows\System32\Config. These files are loaded into memory at boot time and managed by the Windows kernel. Key hive files include:

SYSTEM:Contains hardware and system configuration (e.g., drivers, services).

SOFTWARE:Stores software settings.

SAM:Security Accounts Manager data (e.g., local user accounts, passwords).

SECURITY:Security policies and permissions.

DEFAULT:Default user profile settings.

USERDIFFand user-specific hives (e.g., NTUSER.DAT in C:\Users) for individual profiles, though these are linked to Config indirectly.

Technical Details:

Path:C:\Windows\System32\Configis the primary location for system-wide hives. Files lack extensions (e.g., "SYSTEM" not "SYSTEM.DAT") and are backed by transaction logs (e.g., SYSTEM.LOG) for recovery.

Access: Direct file access is restricted while Windows runs, as the kernel locks them. Tools like reg save or offline forensic utilities (e.g., RegRipper) can extract them.

Backup: Copies may exist in C:\Windows\System32\config\RegBack (pre-Windows 10 1803) or repair folders (e.g., C:\Windows\Repair).

Security Implications:The registry is a prime target for attackers (e.g., persistence via Run keys) and malware (e.g., WannaCry modified registry entries). CNSP likely emphasizes securing this directory (e.g., NTFS permissions) and auditing changes (e.g., via Event Viewer, Event ID 4657). Compromising these files offline (e.g., via physical access) can extract password hashes from SAM.

Why other options are incorrect:

A. C:\Windows\debug:Used for debug logs (e.g., memory.dmp) or tools like DebugView, not registry hives. It’s unrelated to core configuration storage.

C. C:\Windows\security:Contains security-related files (e.g., audit logs, policy templates), but not the registry hives themselves.

D. All of the above:Only B is correct; including A and C dilutes accuracy.

Real-World Context:Forensic analysts target C:\Windows\System32\Config during investigations (e.g., parsing SAM with Mimikatz offline).References:CNSP Official Study Guide (Windows Security Architecture); Microsoft Windows Registry Documentation.

The screenshot is from Wireshark, a network protocol analyzer, displaying captured network traffic. The relevant columns include the source and destination IP addresses, ports, protocol, and additional information about the packets. Let’s break down the details:

Destination Port Analysis:The screenshot shows multiple packets with a destination port of 443 (e.g., in the "Destination" column, entries like "172.72.61.9:443"). Port 443 is the default port for HTTPS (HTTP Secure), which is HTTP traffic encrypted using SSL/TLS. This indicates that the application is communicating over HTTPS.

Protocol Analysis:The "Protocol" column lists "TLSv1.2" for most packets (e.g., frame numbers 2000084, 2000086). TLS (Transport Layer Security) is the cryptographic protocol used by HTTPS to secure HTTP communications. This confirms that the traffic is HTTPS, not plain HTTP.

Packet Details:The "Info" column provides additional context, such as "Application Data" for TLS packets, indicating encrypted application-layer data (typical of HTTPS). There are also HTTP packets (e.g., frame 2000088), but these are likely part of the HTTPS session (e.g., HTTP/2 over TLS, as noted by "HTTP2").

Now, let’s evaluate the options:

Option A: "The application is running on port 443 and the HTTPS protocol."This is correct. The destination port 443 and the use of TLSv1.2 confirm that the application is using HTTPS. HTTPS is the standard protocol for secure web communication, and port 443 is its designated port. CNSP documentation emphasizes that HTTPS traffic on port 443 indicates a secure application-layer protocol, often used for web applications handling sensitive data.

Option B: "The credentials have been submitted over the HTTP protocol."This is incorrect. HTTP typically uses port 80, but the screenshot shows traffic on port 443 with TLS, indicating HTTPS. Credentials submitted over this connection would be encrypted via HTTPS, not sent in plaintext over HTTP. CNSP highlights the security risks of HTTP for credential submission due to lack of encryption, which isn’t the case here.

Option C: "The credentials have been submitted over the HTTPS protocol."While this statement could be true (since HTTPS is in use, any credentials would likely be submitted securely), the question asks for the "correct" statement based on the screenshot. The screenshot doesn’t explicitly show credential submission (e.g., a POST request withform data); it only shows the protocol and port. Option A is more directly supported by the screenshot as it focuses on the application’s protocol and port, not the specific action of credential submission. CNSP notes that HTTPS ensures confidentiality, but this option requires more specific evidence of credentials.

Option D: "The application is running on port 80 and the HTTP protocol."This is incorrect. Port 80 is the default for HTTP, but the screenshot clearly shows port 443 and TLS, indicating HTTPS. CNSP documentation contrasts HTTP (port 80, unencrypted) with HTTPS (port 443, encrypted), making this option invalid.

Conclusion:Option A is the most accurate and comprehensive statement directly supported by the screenshot, confirming the application’s use of port 443 and HTTPS. While Option C might be true in a broader context, it’s less definitive without explicit evidence of credential submission in the captured packets.

References:CNSP "Network Traffic Analysis" (Section on Protocol Identification) explains that port 443 with TLS indicates HTTPS, and contrasts it with HTTP on port 80. The "Wireshark Analysis" section further details how to interpret destination ports and protocol fields for identifying application-layer protocols.

The LinuxFilesystem Hierarchy Standard (FHS), per FHS 3.0, defines directory purposes:

/mnt:Designated fortemporarily mounted filesystems, typically by system administrators.

Use: Mount points for removable media (e.g., USB drives: mount /dev/sdb1 /mnt/usb) or network shares (e.g., NFS).

Nature: Transient, user-managed, not persistent across reboots (unlike /etc/fstab mounts).

Contrast:

/media:Auto-mounts removable devices (e.g., by desktop environments like GNOME).

/mnt vs. /media:/mnt is manual, /media is system-driven.

Technical Details:

Empty by default; subdirectories (e.g., /mnt/usb) are created as needed.

Permissions: Typically root-owned (0755), requiring sudo for mounts.

Security Implications:Misconfigured /mnt mounts (e.g., world-writable) risk unauthorized access. CNSP likely covers mount security (e.g., nosuid option).

Why other options are incorrect:

B. System config/init scripts:Found in /etc (e.g., /etc/passwd, /etc/init.d).

C. Driver modules:Located in /lib/modules/.

D. Kernel state:Resides in /proc (e.g., /proc/cpuinfo).

Real-World Context:Admins mount ISOs at /mnt during server provisioning (e.g., mount -o loop image.iso /mnt).References:CNSP Official Study Guide (Linux Filesystems); FHS 3.0 Documentation.

Windows stores password hashes in the SAM (Security Account Manager) file, with a consistent location across 32-bit and 64-bit systems.

Why B is correct:The SAM file resides at C:\Windows\System32\config\SAM, locked during system operation for security. CNSP notes this for credential extraction risks.

Why other options are incorrect:

A:System64 does not exist; System32 is used even on 64-bit systems.

C:C:\System64 is invalid; the path starts with Windows.

D:config\System32 reverses the correct directory structure.

References:CNSP "Windows Credential Storage" (Section on SAM) specifies C:\Windows\System32\config\SAM.