Which built-in Windows utility can be used to verify the validity of a Kerberos ticket?
Klist
Kerbtray
Netsh
Kerberos Manager
Kerberos is the default authentication protocol in Windows Active Directory environments, andtickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.
Why A is correct:Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.
Why other options are incorrect:
B:Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.
C:Netsh manages network configurations, not Kerberos tickets.
D:"Kerberos Manager" is not a recognized built-in Windows utility; it’s a fictitious name.
References:CNSP "Authentication Protocols" (Section on Kerberos) identifies Klist as the built-in tool for ticket verification, contrasting it with deprecated or external tools.
What ports can be queried to perform a DNS zone transfer?
53/TCP
53/UDP
Both 1 and 2
None of the above
A DNS zone transfer involves replicating the DNS zone data (e.g., all records for a domain) from a primary to a secondary DNS server, requiring a reliable transport mechanism.
Why A is correct:DNS zone transfers use TCP port 53 because TCP ensures reliable,ordered delivery of data, which is critical for transferring large zone files. CNSP notes that TCP is the standard protocol for zone transfers (e.g., AXFR requests), as specified in RFC 5936.
Why other options are incorrect:
B. 53/UDP:UDP port 53 is used for standard DNS queries and responses due to its speed and lower overhead, but it is not suitable for zone transfers, which require reliability over speed.
C. Both 1 and 2:This is incorrect because zone transfers are exclusively TCP-based, not UDP-based.
D. None of the above:Incorrect, as 53/TCP is the correct port for DNS zone transfers.
References:CNSP "DNS Security Practices" (Section on Zone Transfers) specifies TCP port 53 as the protocol for secure and reliable zone transfer operations.
What is the response from an open UDP port which is behind a firewall (port is open on the firewall)?
ICMP message showing Port Unreachable
No response
A SYN Packet
A FIN Packet
UDP (User Datagram Protocol), per RFC 768, is connectionless, lacking TCP’s handshake or acknowledgment mechanisms. When a UDP packet reaches a port:
Closed Port:The host typically sends an ICMP "Destination Port Unreachable" (Type 3, Code 3) unless suppressed (e.g., by firewall or OS settings).
Open Port:If a service is listening (e.g., DNS on 53/UDP), it processes the packet but doesn’t inherently reply unless the application protocol requires it (e.g., DNS sends a response).
Scenario:Anopen UDP port behind a firewall, with the firewall rule allowing traffic (e.g., permit udp any host 10.0.0.1 eq 123). The packet reaches the service, but UDP itself doesn’t mandate a response. Most services (e.g., NTP, SNMP) only reply if the packet matches an expected request. In this question’s generic context (no specific service),no responseis the default, as the firewall permits the packet, and the open port silently accepts it without feedback.
Security Implications:This silence makes UDP ports harder to scan (e.g., Nmap assumes "open|filtered" for no response), but exposed open ports risk amplification attacks (e.g., DNS reflection). CNSP likely contrasts UDP’s behavior with TCP for firewall rule crafting.
Why other options are incorrect:
A. ICMP message showing Port Unreachable:Occurs for closed ports, not open ones, unless the service explicitly rejects the packet (rare).
C. A SYN Packet:SYN is TCP-specific (handshake initiation), irrelevant to UDP.
D. A FIN Packet:FIN is TCP-specific (connection closure), not UDP.
Real-World Context:Testing UDP 53 (DNS) with dig @8.8.8.8 +udp yields a response, but generic UDP probes (e.g., nc -u) often get silence.References:CNSP Official Documentation (UDP and Firewall Behavior); RFC 768 (UDP).
What is the response from an open TCP port which is not behind a firewall?
A FIN and an ACK packet
A SYN packet
A SYN and an ACK packet
A RST and an ACK packet
TCP’sthree-way handshake, per RFC 793, establishes a connection:
Client → Server:SYN (Synchronize) packet (e.g., port 80).
Server → Client:SYN-ACK (Synchronize-Acknowledge) packet if the port is open and listening.
Client → Server:ACK (Acknowledge) completes the connection.
Scenario:Anopen TCP port(e.g., 80 for HTTP) with no firewall. When a client sends a SYN to an open port (e.g., via telnet 192.168.1.1 80), the server responds with aSYN-ACKpacket, indicating willingness to connect. No firewall means no filtering alters this standard response.
Packet Details:
SYN-ACK: Sets SYN and ACK flags in the TCP header, with a sequence number and acknowledgment number.
Example: Client SYN (Seq=100), Server SYN-ACK (Seq=200, Ack=101).
Security Implications:Open ports responding with SYN-ACK are easily detected (e.g., Nmap “open” state), inviting exploits if unneeded (e.g., Telnet on 23). CNSP likely stresses port minimization and monitoring.
Why other options are incorrect:
A. A FIN and an ACK packet:FIN-ACK closes an established connection, not a response to a new SYN.
B. A SYN packet:SYN initiates a connection from the client, not a server response.
D. A RST and an ACK packet:RST-ACK rejects a connection (e.g., closed port), not an open one.
Real-World Context:SYN-ACK from SSH (22/TCP) confirms a server’s presence during reconnaissance.References:CNSP Official Documentation (TCP/IP Fundamentals); RFC 793 (TCP).
On a Microsoft Windows operating system, what does the following command do?
net localgroup Sales Sales_domain /add
Display the list of the users of a local group Sales
Add a domain group to the local group Sales
Add a new user to the local group Sales
Add a local group Sales to the domain group
The net localgroup command manages local group memberships on Windows systems, with syntax dictating its action.
Why B is correct:net localgroup Sales Sales_domain /add adds the domain group Sales_domain to the local group Sales, granting its members local group privileges. CNSP covers this for privilege escalation testing.
Why other options are incorrect:
A:Displaying users requires net localgroup Sales without /add.
C:Adding a user requires a username, not a group name like Sales_domain.
D:The reverse (local to domain) uses net group, not net localgroup.
References:CNSP "Windows Group Management" (Section on net Commands) explains net localgroup for adding domain groups.
You are performing a security audit on a company's infrastructure and have discovered that the domain name system (DNS) server is vulnerable to a DNS cache poisoning attack. What is the primary security risk?
The primary risk is that an attacker could redirect traffic to a malicious website and steal sensitive information.
The primary risk is that an attacker could manipulate the cache of the web server or proxy server to return incorrect content for a specific URL or web page.
DNS cache poisoning, also known as DNS spoofing, involves an attacker injecting false DNS records into a resolver’s cache, altering how domain names resolve.
Why A is correct:The primary risk is that an attacker can redirect users to maliciouswebsites (e.g., phishing or malware sites) by poisoning the DNS cache with fake IP addresses. This can lead to credential theft, data exfiltration, or malware distribution. CNSP identifies this as the core threat of DNS cache poisoning, aligning with real-world attack vectors.
Why other option is incorrect:
B. Manipulate the cache of the web server or proxy server:This describes web cache poisoning, a different attack targeting HTTP caches, not DNS servers. DNS cache poisoning affects DNS resolution, not web or proxy server caches directly.
References:CNSP "DNS Security Threats" (Section on Cache Poisoning) defines the primary risk as traffic redirection to malicious sites, distinguishing it from web cache manipulation.
The Management Information Base (MIB) is a collection of object groups that is managed by which service?
SMTP
SNMP
NTP
TACACS
TheManagement Information Base (MIB)is a structured database defining manageable objects (e.g., CPU usage, interface status) in a network device. It’s part of theSNMP (Simple Network Management Protocol)framework, per RFC 1157, used for monitoring and managing network devices (e.g., routers, switches).
SNMP Mechanics:
MIB Structure:Hierarchical, with Object Identifiers (OIDs) like 1.3.6.1.2.1.1.1.0 (sysDescr).
Versions:SNMPv1, v2c (community strings), v3 (encrypted).
Ports:UDP 161 (agent), 162 (traps).
Operation:Agents expose MIB data; managers (e.g., Nagios) query it via GET/SET commands.
MIB files (e.g., IF-MIB, HOST-RESOURCES-MIB) are vendor-specific or standardized, parsed by SNMP tools (e.g., snmpwalk). CNSP likely covers SNMP for network monitoring and securing it against enumeration (e.g., weak community strings like "public").
Why other options are incorrect:
A. SMTP (Simple Mail Transfer Protocol):Email delivery (TCP 25), unrelated to MIB or device management.
C. NTP (Network Time Protocol):Time synchronization (UDP 123), not MIB-related.
D. TACACS (Terminal Access Controller Access-Control System):Authentication/authorization (TCP 49), not MIB management.
Real-World Context:SNMP misconfiguration led to the 2018 Cisco switch exploits via exposed MIB data.References:CNSP Official Study Guide (Network Monitoring Protocols); RFC 1157 (SNMP).
The Active Directory database file stores the data and schema information for the Active Directory database on domain controllers in Microsoft Windows operating systems. Which of the following file is the Active Directory database file?
NTDS.DAT
NTDS.MDB
MSAD.MDB
NTDS.DIT
The Active Directory (AD) database on Windows domain controllers contains critical directory information, stored in a specific file format.
Why D is correct:The NTDS.DIT file (NT Directory Services Directory Information Tree) is the Active Directory database file, located in C:\Windows\NTDS\ on domain controllers. It stores all AD objects (users, groups, computers) and schema data in a hierarchical structure. CNSP identifies NTDS.DIT as the key file for AD data extraction in securityaudits.
Why other options are incorrect:
A. NTDS.DAT:Not a valid AD database file; may be a confusion with other system files.
B. NTDS.MDB:Refers to an older Microsoft Access database format, not used for AD.
C. MSAD.MDB:Not a recognized file for AD; likely a misnomer.
References:CNSP "Windows Active Directory Security" (Section on Database Files) confirms NTDS.DIT as the Active Directory database file.
Which SMB (Server Message Block) network protocol version introduced support for encrypting SMB traffic?
SMBv1
SMBv2
SMBv3
None of the above
The SMB protocol, used for file and printer sharing, has evolved across versions, with significant security enhancements in later iterations.
Why C is correct:SMBv3, introduced with Windows 8 and Server 2012, added native support for encrypting SMB traffic. This feature uses AES-CCM encryption to protect data in transit, addressing vulnerabilities in earlier versions. CNSP notes SMBv3’s encryption as a critical security improvement.
Why other options are incorrect:
A. SMBv1:Lacks encryption support and is considered insecure, often disabled due to vulnerabilities like WannaCry exploitation.
B. SMBv2:Introduces performance improvements but does not support encryption natively.
D. None of the above:Incorrect, as SMBv3 is the version that introduced encryption.
References:CNSP "File Sharing Protocols" (Section on SMB Versions) details SMBv3’s encryption feature, contrasting it with the limitations of SMBv1 and SMBv2.
Which of the following services do not encrypt its traffic by default?
DNS
SSH
FTPS
All of these
Encryption ensures confidentiality and integrity of network traffic. Analyzing defaults:
A. DNS (Domain Name System):
Default: Unencrypted (UDP/TCP 53), per RFC 1035. Queries/responses (e.g., “google.com → 142.250.190.14”) are plaintext.
Modern Options: DNS over HTTPS (DoH, TCP 443) or DNS over TLS (DoT, TCP 853) encrypt, but aren’t default in most systems (e.g., pre-2020 Windows).
B. SSH (Secure Shell):
Default: Encrypted (TCP 22), per RFC 4251. Uses asymmetric (e.g., RSA) and symmetric (e.g., AES) crypto for all sessions.
C. FTPS (FTP Secure):
Default: Encrypted (TCP 21 control, dynamic data ports). Extends FTP with SSL/TLS (e.g., RFC 4217), securing file transfers.
Technical Details:
DNS: Plaintext exposes queries to eavesdropping (e.g., ISP snooping) or spoofing (e.g., cache poisoning).
SSH/FTPS: Encryption is baked into their standards; disabling it requires explicit misconfiguration.
Security Implications:Unencrypted DNS risks privacy and integrity (e.g., Kaminsky attack). CNSP likely pushes DoH/DoT adoption.
Why other options are incorrect:
B, C:Encrypt by default.
D:False, as only DNS lacks default encryption.
Real-World Context:The 2013 Snowden leaks exposed DNS monitoring; DoH uptake (e.g., Cloudflare 1.1.1.1) counters this.References:CNSP Official Study Guide (Protocol Security); RFC 1035 (DNS), RFC 4251 (SSH).
You are performing a security audit on a company's network infrastructure and have discovered the SNMP community string set to the default value of "public" on several devices. What security risks could this pose, and how might you exploit it?
The potential risk is that an attacker could use the SNMP protocol to gather sensitive information about the devices. You might use a tool like Snmpwalk to query the devices for information.
The potential risk is that an attacker could use the SNMP protocol to modify the devices' configuration settings. You might use a tool like Snmpset to change the settings.
Both A and B.
None of the above.
SNMP (Simple Network Management Protocol) uses community strings as a basic form of authentication. The default read-only community string "public" is widely known, and if leftunchanged, it exposes devices to unauthorized access. The primary risk with "public" is information disclosure, as it typically grants read-only access, allowing attackers to gather sensitive data (e.g., device configurations, network topology) without altering settings.
Why A is correct:With the "public" string, an attacker can use tools like snmpwalk to enumerate device details (e.g., system uptime, interfaces, or software versions) via SNMP queries. This aligns with CNSP’s focus on reconnaissance risks during security audits, emphasizing the danger of default credentials enabling passive data collection.
Why other options are incorrect:
B:While modifying settings is a risk with SNMP, the default "public" string is typically read-only. Changing configurations requires a read-write community string (e.g., "private"), which isn’t implied here. Thus, snmpset would not work with "public" alone.
C:Since B is incorrect in this context, C (both A and B) cannot be the answer.
D:The risk in A is valid, so "none of the above" is incorrect.
References:CNSP "Network Device Security" (Section on SNMP Security) highlights the reconnaissance risk of default "public" strings and tools like snmpwalk for exploitation, distinguishing read-only from read-write access.
Which of the following attacks are associated with an ICMP protocol?
Ping of death
Smurf attack
ICMP flooding
All of the following
ICMP (Internet Control Message Protocol), per RFC 792, handles diagnostics (e.g., ping) and errors in IP networks. It’s exploitable in:
A. Ping of Death:
Method: Sends oversized ICMP Echo Request packets (>65,535 bytes) via fragmentation. Reassembly overflows buffers, crashing older systems (e.g., Windows 95).
Fix: Modern OSes cap packet size (e.g., ping -s 65500).
B. Smurf Attack:
Method: Spoofs ICMP Echo Requests to a network’s broadcast address (e.g., 192.168.255.255). All hosts reply, flooding the victim.
Amplification: 100 hosts = 100x traffic.
C. ICMP Flooding:
Method: Overwhelms a target with ICMP Echo Requests (e.g., ping -f), consuming bandwidth/CPU.
Variant: BlackNurse attack targets firewalls.
Technical Details:
ICMP Type 8 (Echo Request), Type 0 (Echo Reply) are key.
Mitigation: Rate-limit ICMP, disable broadcasts (e.g., no ip directed-broadcast).
Security Implications:ICMP attacks are DoS vectors. CNSP likely teaches filtering (e.g., iptables -p icmp -j DROP) balanced with diagnostics need.
Why other options are incorrect:
A, B, C individually:All are ICMP-based; D is comprehensive.
Real-World Context:Smurf attacks peaked in the 1990s; modern routers block them by default.References:CNSP Official Study Guide (Network Attacks); RFC 792 (ICMP).
Which one of the following services is not a UDP-based protocol?
SNMP
NTP
IKE
SSH
Protocols are defined by their transport layer usage (TCP or UDP), impacting their security and performance characteristics.
Why D is correct:SSH (Secure Shell) uses TCP (port 22) for reliable, connection-oriented communication, unlike the UDP-based options. CNSP contrasts TCP and UDP protocol security.
Why other options are incorrect:
A:SNMP uses UDP (ports 161, 162) for lightweight network management.
B:NTP uses UDP (port 123) for time synchronization.
C:IKE (IPsec key exchange) uses UDP (ports 500, 4500).
References:CNSP "Network Protocols" (Section on Transport Layer) identifies SSH as TCP-based, others as UDP.
On a Microsoft Windows Operating System, what does the following command do?
net localgroup administrators
List domain admin users for the current domain
Displays the local administrators group on the computer
The net command in Windows is a legacy tool for managing users, groups, and network resources. The subcommand net localgroup
net localgroup administrators lists all members (users and groups) of the local Administrators group on the current computer.
The local Administrators group grants elevated privileges (e.g., installing software, modifying system files) on that machine only, not domain-wide.
Output Example:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
The command completed successfully.
Technical Details:
Local groups are stored in the Security Accounts Manager (SAM) database (e.g., C:\Windows\System32\config\SAM).
This differs from domain groups (e.g., Domain Admins), managed via Active Directory.
Security Implications:Enumerating local admins is a reconnaissance step in penetration testing (e.g., to escalate privileges). CNSP likely covers this command for auditing and securing Windows systems.
Why other options are incorrect:
A. List domain admin users for the current domain:This requires net group "Domain Admins" /domain, which queries the domain controller, not the local SAM. net localgroup is strictly local.
Real-World Context:Attackers use this command post-compromise (e.g., via PsExec) to identify privilege escalation targets.References:CNSP Official Documentation (Windows Security Commands); Microsoft Windows Command-Line Reference.
What ports does an MSSQL server typically use?
1433/TCP, 2433/UDP, and 3433/TCP
1433/TCP, 1434/UDP, and 1434/TCP
1433/TCP, 2433/UDP, and 1434/TCP
1533/TCP, 1434/UDP, and 2434/TCP
Microsoft SQL Server (MSSQL) relies on specific ports for its core services, as defined by Microsoft and registered with IANA:
1433/TCP:The default port for the SQL Server Database Engine. Clients connect here for querying databases (e.g., via ODBC or JDBC). It’s a well-known port, making it a frequent target for attacks if exposed.
1434/UDP:Used by theSQL Server Browser Service, which listens for incoming requests and redirects clients to the correct port/instance (especially for named instances). It’s critical for discovering dynamic ports when 1433 isn’t used.
1434/TCP:Less commonly highlighted but used in some configurations, such as dedicated admin connections (DAC) or when the Browser Service responds over TCP for specific instances. While 1433/TCP is the primary engine port, 1434/TCP can be involved in multi-instance setups.
Technical Details:
Ports can be customized (e.g., via SQL Server Configuration Manager), but these are defaults.
Named instances often use dynamic ports (allocated from the ephemeral range), with the Browser Service (1434/UDP) guiding clients to them.
Firewalls must allow these ports for MSSQL to function externally, posing risks if not secured (e.g., brute-force attacks on 1433/TCP).
Security Implications:CNSP likely covers MSSQL port security, as vulnerabilities like SQL Slammer (2003) exploited 1434/UDP misconfigurations. Hardening includes restricting access, changing defaults, and monitoring traffic.
Why other options are incorrect:
A. 1433/TCP, 2433/UDP, 3433/TCP:2433/UDP and 3433/TCP are not MSSQL standards; they’re likely typos or unrelated ports.
C. 1433/TCP, 2433/UDP, 1434/TCP:2433/UDP is incorrect; 1434/UDP is the Browser Service port.
D. 1533/TCP, 1434/UDP, 2434/TCP:1533/TCP and 2434/TCP aren’t associated with MSSQL; they deviate from documented defaults.
Real-World Context:Tools like netstat -an | find "1433" on Windows confirm MSSQL’s port usage during audits.References:CNSP Official Documentation (Database Security and Ports); Microsoft SQL Server Documentation, IANA Port Registry.
TESTED 16 Jul 2026
