Pass the The SecOps Group Security Practitioner CNSP Questions and answers with ExamsMirror

Microsoft SQL Server (MSSQL) relies on specific ports for its core services, as defined by Microsoft and registered with IANA:

1433/TCP:The default port for the SQL Server Database Engine. Clients connect here for querying databases (e.g., via ODBC or JDBC). It’s a well-known port, making it a frequent target for attacks if exposed.

1434/UDP:Used by theSQL Server Browser Service, which listens for incoming requests and redirects clients to the correct port/instance (especially for named instances). It’s critical for discovering dynamic ports when 1433 isn’t used.

1434/TCP:Less commonly highlighted but used in some configurations, such as dedicated admin connections (DAC) or when the Browser Service responds over TCP for specific instances. While 1433/TCP is the primary engine port, 1434/TCP can be involved in multi-instance setups.

Technical Details:

Ports can be customized (e.g., via SQL Server Configuration Manager), but these are defaults.

Named instances often use dynamic ports (allocated from the ephemeral range), with the Browser Service (1434/UDP) guiding clients to them.

Firewalls must allow these ports for MSSQL to function externally, posing risks if not secured (e.g., brute-force attacks on 1433/TCP).

Security Implications:CNSP likely covers MSSQL port security, as vulnerabilities like SQL Slammer (2003) exploited 1434/UDP misconfigurations. Hardening includes restricting access, changing defaults, and monitoring traffic.

Why other options are incorrect:

A. 1433/TCP, 2433/UDP, 3433/TCP:2433/UDP and 3433/TCP are not MSSQL standards; they’re likely typos or unrelated ports.

C. 1433/TCP, 2433/UDP, 1434/TCP:2433/UDP is incorrect; 1434/UDP is the Browser Service port.

D. 1533/TCP, 1434/UDP, 2434/TCP:1533/TCP and 2434/TCP aren’t associated with MSSQL; they deviate from documented defaults.

Real-World Context:Tools like netstat -an | find "1433" on Windows confirm MSSQL’s port usage during audits.References:CNSP Official Documentation (Database Security and Ports); Microsoft SQL Server Documentation, IANA Port Registry.

SNMP community strings authenticate access, with defaults posing security risks if unchanged.

WhyCis correct:

A:"public" is the standard read-only default, per SNMP specs and CNSP.

B:"private" is the standard read-write default, also per SNMP and CNSP.Both are true, makingCthe answer.

Why other options are incorrect:

1, 2:Exclude one true statement each.

4:Both statements are true, so "none" is wrong.

References:CNSP "SNMP Security" (Section on Defaults) confirms "public" and "private" as standard community strings.

In Linux, password hashes are stored in a secure file to protect user authentication data. The evolution of Linux security practices moved password storage from plaintext or weakly protected files to a more secure location.

Why C is correct:The /etc/shadow file is the standard location for storing password hashes in modern Linux systems. This file is readable only by the root user, enhancing security by restricting access. It contains encrypted password hashes (typically using algorithms like SHA-512), along with user details such as password expiration policies. CNSP documentation on Linux security emphasizes /etc/shadow as the authoritative source for password hashes, replacing older methods.

Why other options are incorrect:

A. /etc/passwd:Historically, /etc/passwd stored passwords in plaintext or weakly hashed forms (e.g., using DES), but modern systems use it only for user account information (e.g., UID, GID, home directory) and reference /etc/shadow for hashes.

B. /etc/password:This is not a valid file in the Linux file system; it appears to be a typographical error or misunderstanding, with no recognized role in password storage.

D. /usr/bin/shadow:/usr/bin contains executable binaries, not configuration or data files like password hashes. /etc/shadow is the correct path.

References:CNSP "Linux Authentication Mechanisms" (Section on Password Storage) details the transition to /etc/shadow for enhanced security and contrasts it with /etc/passwd.

Protocols are defined by their transport layer usage (TCP or UDP), impacting their security and performance characteristics.

Why D is correct:SSH (Secure Shell) uses TCP (port 22) for reliable, connection-oriented communication, unlike the UDP-based options. CNSP contrasts TCP and UDP protocol security.

Why other options are incorrect:

A:SNMP uses UDP (ports 161, 162) for lightweight network management.

B:NTP uses UDP (port 123) for time synchronization.

C:IKE (IPsec key exchange) uses UDP (ports 500, 4500).

References:CNSP "Network Protocols" (Section on Transport Layer) identifies SSH as TCP-based, others as UDP.

TCP (Transmission Control Protocol) ensures reliable, ordered data delivery via a connection-oriented handshake, contrasting with UDP’s lightweight, connectionless approach. Analyzing each service:

C. HTTP (Hypertext Transfer Protocol):Uses TCP (port 80) for web traffic. TCP’s reliability ensures HTML, images, etc., arrive intact. HTTPS (TCP 443) extends this with TLS. RFC 2616 mandates TCP.

A. SNMP (Simple Network Management Protocol):Defaults to UDP (port 161) for monitoring devices. UDP’s speed suits its lightweight queries, though TCP variants exist (rarely used).

B. NTP (Network Time Protocol):Uses UDP (port 123) per RFC 5905. UDP minimizes latency for time sync, tolerating occasional packet loss.

D. IKE (Internet Key Exchange):Part of IPsec, uses UDP (port 500) per RFC 7296. UDP suits its negotiation phase; TCP isn’t standard.

Security Implications:TCP services like HTTP are more prone to state-based attacks (e.g., SYN floods) than UDP counterparts. CNSP likely contrasts TCP vs. UDP in protocol analysis.

Why other options are incorrect:

A, B, D:All default to UDP for efficiency, not TCP’s reliability.

Real-World Context:Firewalls prioritize TCP 80/443 rules for HTTP/HTTPS, while UDP 123 is opened for NTP servers.References:CNSP Official Study Guide (Network Protocols); RFC 2616 (HTTP), RFC 1155 (SNMP).

The EICAR test file is a standardized tool in security testing, designed for a specific purpose.

Why A is correct:The EICAR file (a 68-byte string) triggers antivirus detection without harm, testing response capabilities. CNSP recommends it for AV validation.

Why B is incorrect:It has no role in testing encryption; it’s solely for AV functionality.

References:CNSP "Antivirus Testing" (Section on EICAR) describes its use for AV response verification.

The net command in Windows is a legacy tool for managing users, groups, and network resources. The subcommand net localgroup displays information about a specified local group on the machine where it’s run. Specifically:

net localgroup administrators lists all members (users and groups) of the local Administrators group on the current computer.

The local Administrators group grants elevated privileges (e.g., installing software, modifying system files) on that machine only, not domain-wide.

Output Example:

Alias name administrators

Comment Administrators have complete and unrestricted access to the computer

Members

-------------------------------------------------------------------------------

Administrator

Domain Admins

The command completed successfully.

Technical Details:

Local groups are stored in the Security Accounts Manager (SAM) database (e.g., C:\Windows\System32\config\SAM).

This differs from domain groups (e.g., Domain Admins), managed via Active Directory.

Security Implications:Enumerating local admins is a reconnaissance step in penetration testing (e.g., to escalate privileges). CNSP likely covers this command for auditing and securing Windows systems.

Why other options are incorrect:

A. List domain admin users for the current domain:This requires net group "Domain Admins" /domain, which queries the domain controller, not the local SAM. net localgroup is strictly local.

Real-World Context:Attackers use this command post-compromise (e.g., via PsExec) to identify privilege escalation targets.References:CNSP Official Documentation (Windows Security Commands); Microsoft Windows Command-Line Reference.

Network segmentation isolates network zones for security, but certain techniques can circumvent these controls, a focus of CNSP penetration testing.

Why D is correct:

A:DNS tunneling encodes data in DNS queries, bypassing segmentation via legitimate DNS traffic.

B:VLAN hopping exploits switch misconfigurations (e.g., double tagging) to access other VLANs.

C:Covert channels use hidden communication paths (e.g., timing channels) to evade segmentation.All are valid techniques per CNSP for testing segmentation controls.

Why other options are incomplete:A, B, or C alone exclude other viable methods, making D the comprehensive answer.

References:CNSP "Penetration Testing Techniques" (Section on Network Segmentation Bypass) lists DNS tunneling, VLAN hopping, and covert channels as effective methods.

Kerberos is the default authentication protocol in Windows Active Directory environments, andtickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.

Why A is correct:Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.

Why other options are incorrect:

B:Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.

C:Netsh manages network configurations, not Kerberos tickets.

D:"Kerberos Manager" is not a recognized built-in Windows utility; it’s a fictitious name.

References:CNSP "Authentication Protocols" (Section on Kerberos) identifies Klist as the built-in tool for ticket verification, contrasting it with deprecated or external tools.

EternalBlue(MS17-010) is an exploit targeting a buffer overflow in Microsoft’s SMB (Server Message Block) implementation, leaked by the Shadow Brokers in 2017. SMB enables file/printer sharing:

SMBv1 (1980s):Legacy, used in Windows NT/XP.

SMBv2 (2006, Vista):Enhanced performance/security.

SMBv3 (2012, Windows 8):Adds encryption, multichannel.

Vulnerability:

EternalBlue exploits a flaw inSMBv1’s SRVNET driver (srv.sys), allowing remote code execution via crafted packets. Microsoft patched it in March 2017 (MS17-010).

Affected OS: Windows XP to Server 2016 (pre-patch), if SMBv1 enabled.

Proof: WannaCry/NotPetya used it, targeting port 445/TCP.

Version Scope:

SMBv1 Only:The bug resides in SMBv1’s packet handling (e.g., TRANS2 requests). SMBv2/v3 rewrote this code, immune to the specific overflow.

Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).

Security Implications:CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as EternalBlue remains a threat in legacy environments.

Why other options are incorrect:

B, C:SMBv2/v3 aren’t vulnerable; the flaw is SMBv1-specific.

D:SMBv2 isn’t affected, only SMBv1.

Real-World Context:WannaCry’s 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing billions.References:CNSP Official Documentation (Windows Exploits); Microsoft MS17-010 Bulletin.