The SecOps Group Certified Network Security Practitioner (CNSP) CNSP Exam Dumps: Updated Questions & Answers (October 2025)

TCP (Transmission Control Protocol) ensures reliable, ordered data delivery via a connection-oriented handshake, contrasting with UDP’s lightweight, connectionless approach. Analyzing each service:

C. HTTP (Hypertext Transfer Protocol):Uses TCP (port 80) for web traffic. TCP’s reliability ensures HTML, images, etc., arrive intact. HTTPS (TCP 443) extends this with TLS. RFC 2616 mandates TCP.

A. SNMP (Simple Network Management Protocol):Defaults to UDP (port 161) for monitoring devices. UDP’s speed suits its lightweight queries, though TCP variants exist (rarely used).

B. NTP (Network Time Protocol):Uses UDP (port 123) per RFC 5905. UDP minimizes latency for time sync, tolerating occasional packet loss.

D. IKE (Internet Key Exchange):Part of IPsec, uses UDP (port 500) per RFC 7296. UDP suits its negotiation phase; TCP isn’t standard.

Security Implications:TCP services like HTTP are more prone to state-based attacks (e.g., SYN floods) than UDP counterparts. CNSP likely contrasts TCP vs. UDP in protocol analysis.

Why other options are incorrect:

A, B, D:All default to UDP for efficiency, not TCP’s reliability.

Real-World Context:Firewalls prioritize TCP 80/443 rules for HTTP/HTTPS, while UDP 123 is opened for NTP servers.References:CNSP Official Study Guide (Network Protocols); RFC 2616 (HTTP), RFC 1155 (SNMP).

A null session in Windows is an unauthenticated connection to certain administrative shares, historically used for system enumeration. The net use command connects to a share, and the IPC$ (Inter-Process Communication) share is the standard target for null sessions, allowing access without credentials when configured to permit it.

Why C is correct:The command net use \\hostname\ipc$ "" /u:"" specifies the IPC$ share and uses empty strings for the password (first "") and username (/u:""), establishing a null session. This syntax is correct for older Windows systems (e.g., XP or 2003) where null sessions were more permissive, a topic covered in CNSP for legacy system vulnerabilities.

Why other options are incorrect:

A:Targets the c$ share (not typically used for null sessions) and uses /u:NULL, which is invalid syntax; the username must be an empty string ("").

B:Targets c$ instead of ipc$, making it incorrect for null session establishment.

D:Uses ipc$ correctly but specifies /u:NULL, which is not the proper way to denote an empty username.

References:CNSP "Windows Security Basics" (Section on Null Session Exploitation) details the use of net use with IPC$ for enumeration, noting syntax and historical vulnerabilities.

A DNS zone transfer involves replicating the DNS zone data (e.g., all records for a domain) from a primary to a secondary DNS server, requiring a reliable transport mechanism.

Why A is correct:DNS zone transfers use TCP port 53 because TCP ensures reliable,ordered delivery of data, which is critical for transferring large zone files. CNSP notes that TCP is the standard protocol for zone transfers (e.g., AXFR requests), as specified in RFC 5936.

Why other options are incorrect:

B. 53/UDP:UDP port 53 is used for standard DNS queries and responses due to its speed and lower overhead, but it is not suitable for zone transfers, which require reliability over speed.

C. Both 1 and 2:This is incorrect because zone transfers are exclusively TCP-based, not UDP-based.

D. None of the above:Incorrect, as 53/TCP is the correct port for DNS zone transfers.

References:CNSP "DNS Security Practices" (Section on Zone Transfers) specifies TCP port 53 as the protocol for secure and reliable zone transfer operations.

The Windows Registry is a hierarchical database storing system and application settings, organized into predefined root keys (hives). Only specific names are valid as top-level keys.

Why A is correct:HKEY_LOCAL_MACHINE (HKLM) is a standard root key containing hardware and system-wide configuration data. CNSP references it for security settings analysis (e.g., auditing policies).

Why other options are incorrect:

B:HKEY_INTERNAL_CONFIG is not a valid key; no such hive exists.

C:HKEY_ROOT_CLASSES is a misspelling; the correct key is HKEY_CLASSES_ROOT (HKCR).

D:HKEY_LOCAL_USER is incorrect; the valid key is HKEY_CURRENT_USER (HKCU).

References:CNSP "Windows Registry Security" (Section on Registry Structure) lists HKEY_LOCAL_MACHINE as a valid hive, detailing its role in system configuration.

AGolden Ticketis a forged Kerberos Ticket-Granting Ticket (TGT) in Active Directory (AD), granting an attacker unrestricted access to domain resources by impersonating any user (e.g., with Domain Admin privileges). Kerberos, per RFC 4120, relies on theKRBTGTaccount—a built-in service account on every domain controller—to encrypt and sign TGTs. To forge a Golden Ticket, an attacker needs:

TheKRBTGT password hash(NTLM or Kerberos key), typically extracted from a domain controller’s memory using tools like Mimikatz.

Additional domain details (e.g., SID, domain name).

Process:

Compromise a domain controller (e.g., via privilege escalation).

Extract the KRBTGT hash (e.g., lsadump::dcsync /user:krbtgt).

Forge a TGT with arbitrary privileges using the hash (e.g., Mimikatz’s kerberos::golden command).

The KRBTGT account itself isn’t "used" to create the ticket; its hash is the key ingredient. Unlike legitimate TGTs issued by the KDC, a Golden Ticket bypasses authentication checks, persisting until the KRBTGT password is reset (a rare event in most environments). CNSP likely highlights this as a high-severity AD attack vector.

Why other options are incorrect:

A. Local User account:Local accounts are machine-specific, lack domain privileges, and can’t access the KRBTGT hash stored on domain controllers.

B. Domain User account:A standard user has no inherent access to domain controller credentials or the KRBTGT hash without escalation.

C. Service account:While service accounts may have elevated privileges, they don’t automatically provide the KRBTGT hash unless compromised to domain admin level—still insufficient without targeting KRBTGT specifically.

Real-World Context:The 2014 Sony Pictures hack leveraged Golden Tickets, emphasizing the need for KRBTGT hash rotation post-breach (a complex remediation step).References:CNSP Official Study Guide (Active Directory Attacks); RFC 4120 (Kerberos), Microsoft AD Security Guidelines.

An IP address with a/18prefix (CIDR notation) indicates 18 network bits in the subnet mask, leaving 14 host bits (32 total bits - 18). For IPv4 (e.g., 192.168.0.1):

Binary Mask:First 18 bits are 1s, rest 0s.

1st octet: 11111111 (255)

2nd octet: 11111111 (255)

3rd octet: 11000000 (192)

4th octet: 00000000 (0)

Decimal:255.255.192.0

Calculation:

Bits: /18 = 2^14 hosts (16,384), minus 2 (network/broadcast) = 16,382 usable.

Range: 192.168.0.0–192.168.63.255 (3rd octet: 0–63, as 192 = 11000000 covers 6 bits).

Technical Details:

Subnet masks align on octet boundaries or mid-octet (e.g., 192 = 2^7 + 2^6).

Contrast: /24 = 255.255.255.0 (256 hosts), /16 = 255.255.0.0 (65,536 hosts).

Security Implications:Larger subnets (e.g., /18) increase broadcast domains, risking amplification attacks. CNSP likely teaches subnetting for segmentation (e.g., VLANs).

Why other options are incorrect:

A. 255.255.255.0:/24 (8 host bits), not /18.

B. 255.225.225.0:Invalid mask (225 = 11100001, non-contiguous 1s).

D. 255.225.192.0:Invalid (225 breaks binary sequence).

Real-World Context:Subnetting 192.168.0.0/18 isolates departments in enterprise networks.References:CNSP Official Documentation (IP Addressing); RFC 1918 (Private IP).

The prefix $2a$ identifies thebcrypthashing algorithm, which is based on the Blowfish symmetric encryption cipher (developed by Bruce Schneier). Bcrypt is purpose-built for password hashing, incorporating:

Salt:A random string (e.g., 22 Base64 characters) to thwart rainbow table attacks.

Work Factor:A cost parameter (e.g., $2a$10$ means 2^10 iterations), making it computationally expensive to brute-force.

Format:$2a$[cost]$[salt][hash]

Example: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

$2a$: Bcrypt variant (original is $2$; $2a$ fixes a minor bug).

$10$: 1024 iterations.

Next 22 characters: Salt.

Remaining: Hashed password.

Used in /etc/shadow on Linux, bcrypt’s adaptive nature ensures it remains secure as hardware improves. CNSP likely includes it in cryptography modules for its strength over older algorithms like MD5.

Why other options are incorrect:

B. SHA256:Part of the SHA-2 family, outputs a 64-character hexadecimal string (e.g., e3b0c442...), no $ prefix. It’s faster, less suited for passwords.

C. MD5:Produces a 32-character hex string (e.g., d41d8cd9...), no prefix. It’s cryptographically broken (collisions found).

D. SHA512:SHA-2 variant, 128-character hex (e.g., cf83e135...), no $ prefix, not salted by default.

Real-World Context:Bcrypt protects SSH keys and web app passwords (e.g., in PHP’s password_hash()).References:CNSP Official Documentation (Cryptography); Bcrypt Specification, RFC 1321 (MD5).

The SMB protocol, used for file and printer sharing, has evolved across versions, with significant security enhancements in later iterations.

Why C is correct:SMBv3, introduced with Windows 8 and Server 2012, added native support for encrypting SMB traffic. This feature uses AES-CCM encryption to protect data in transit, addressing vulnerabilities in earlier versions. CNSP notes SMBv3’s encryption as a critical security improvement.

Why other options are incorrect:

A. SMBv1:Lacks encryption support and is considered insecure, often disabled due to vulnerabilities like WannaCry exploitation.

B. SMBv2:Introduces performance improvements but does not support encryption natively.

D. None of the above:Incorrect, as SMBv3 is the version that introduced encryption.

References:CNSP "File Sharing Protocols" (Section on SMB Versions) details SMBv3’s encryption feature, contrasting it with the limitations of SMBv1 and SMBv2.

EternalBlue(MS17-010) is an exploit targeting a buffer overflow in Microsoft’s SMB (Server Message Block) implementation, leaked by the Shadow Brokers in 2017. SMB enables file/printer sharing:

SMBv1 (1980s):Legacy, used in Windows NT/XP.

SMBv2 (2006, Vista):Enhanced performance/security.

SMBv3 (2012, Windows 8):Adds encryption, multichannel.

Vulnerability:

EternalBlue exploits a flaw inSMBv1’s SRVNET driver (srv.sys), allowing remote code execution via crafted packets. Microsoft patched it in March 2017 (MS17-010).

Affected OS: Windows XP to Server 2016 (pre-patch), if SMBv1 enabled.

Proof: WannaCry/NotPetya used it, targeting port 445/TCP.

Version Scope:

SMBv1 Only:The bug resides in SMBv1’s packet handling (e.g., TRANS2 requests). SMBv2/v3 rewrote this code, immune to the specific overflow.

Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).

Security Implications:CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as EternalBlue remains a threat in legacy environments.

Why other options are incorrect:

B, C:SMBv2/v3 aren’t vulnerable; the flaw is SMBv1-specific.

D:SMBv2 isn’t affected, only SMBv1.

Real-World Context:WannaCry’s 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing billions.References:CNSP Official Documentation (Windows Exploits); Microsoft MS17-010 Bulletin.

Authentication and Authorization (often abbreviated as AuthN and AuthZ) are foundational pillars of access control in network security:

Authentication (AuthN):Verifies "who you are" by validating credentials against a trusted source. Examples include passwords, MFA (multi-factor authentication), certificates, or biometrics. It ensures the entity (user, device) is legitimate, typically via protocols like Kerberos or LDAP.

Authorization (AuthZ):Determines "what you can do" after authentication, enforcing policies on resource access (e.g., read/write permissions, API calls). It relies on mechanisms like Access Control Lists (ACLs), Role-Based Access Control (RBAC), or Attribute-Based Access Control (ABAC).

Option Acorrectly separates these roles:

Authorization governs access decisions (e.g., "Can user X read file Y?").

Authentication establishes identity (e.g., "Is this user X?").

In practice, these processes are sequential: AuthN precedes AuthZ. For example, logging into a VPN authenticates your identity (e.g., via username/password), then authorizes your access to specific subnets based on your role. CNSP likely stresses this distinction for designing secure systems, as conflating them risks privilege escalation or identity spoofing vulnerabilities.

Why other options are incorrect:

B:Reverses the definitions—Authentication doesn’t grant/deny access (that’s AuthZ), and Authorization doesn’t validate identity (that’s AuthN). This mix-up could lead to flawed security models.

C:Falsely equates AuthN and AuthZ and attributes access rules to AuthN. They’re distinct processes; treating them as identical undermines granular control (e.g., NIST SP 800-53 separates IA-2 for AuthN and AC-3 for AuthZ).

D:Misassigns access control to AuthN and claims they don’t interoperate, which is false—they work together in every modern system (e.g., SSO with RBAC). This would render auditing impossible, contradicting security best practices.

Real-World Context:A web server (e.g., Apache) authenticates via HTTP Basic Auth, then authorizes via .htaccess rules—two separate steps.References:CNSP Official Study Guide (Access Control Fundamentals); NIST SP 800-53 (Security and Privacy Controls).