Most Recent The SecOps Group CNSP Exam Dumps

Prepare for the The SecOps Group Certified Network Security Practitioner exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the The SecOps Group CNSP exam and achieve success.

The questions for CNSP were last updated on Mar 10, 2025.

Viewing page 1 out of 12 pages.
Viewing questions 1-5 out of 60 questions

Get All 60 Questions & Answers

Question No. 1

What ports does an MSSQL server typically use?

A1433/TCP, 2433/UDP, and 3433/TCP

B1433/TCP, 1434/UDP, and 1434/TCP

C1433/TCP, 2433/UDP, and 1434/TCP

D1533/TCP, 1434/UDP, and 2434/TCP

Show Answer

Correct Answer: B

Microsoft SQL Server (MSSQL) relies on specific ports for its core services, as defined by Microsoft and registered with IANA:

1433/TCP: The default port for the SQL Server Database Engine. Clients connect here for querying databases (e.g., via ODBC or JDBC). It's a well-known port, making it a frequent target for attacks if exposed.

1434/UDP: Used by the SQL Server Browser Service, which listens for incoming requests and redirects clients to the correct port/instance (especially for named instances). It's critical for discovering dynamic ports when 1433 isn't used.

1434/TCP: Less commonly highlighted but used in some configurations, such as dedicated admin connections (DAC) or when the Browser Service responds over TCP for specific instances. While 1433/TCP is the primary engine port, 1434/TCP can be involved in multi-instance setups.

Technical Details:

Ports can be customized (e.g., via SQL Server Configuration Manager), but these are defaults.

Named instances often use dynamic ports (allocated from the ephemeral range), with the Browser Service (1434/UDP) guiding clients to them.

Firewalls must allow these ports for MSSQL to function externally, posing risks if not secured (e.g., brute-force attacks on 1433/TCP).

Security Implications: CNSP likely covers MSSQL port security, as vulnerabilities like SQL Slammer (2003) exploited 1434/UDP misconfigurations. Hardening includes restricting access, changing defaults, and monitoring traffic.

Why other options are incorrect:

A . 1433/TCP, 2433/UDP, 3433/TCP: 2433/UDP and 3433/TCP are not MSSQL standards; they're likely typos or unrelated ports.

C . 1433/TCP, 2433/UDP, 1434/TCP: 2433/UDP is incorrect; 1434/UDP is the Browser Service port.

D . 1533/TCP, 1434/UDP, 2434/TCP: 1533/TCP and 2434/TCP aren't associated with MSSQL; they deviate from documented defaults.

Real-World Context: Tools like netstat -an | find '1433' on Windows confirm MSSQL's port usage during audits.

Question No. 2

What user account is required to create a Golden Ticket in Active Directory?

ALocal User account

BDomain User account

CService account

DKRBTGT account

Show Answer

Correct Answer: D

A Golden Ticket is a forged Kerberos Ticket-Granting Ticket (TGT) in Active Directory (AD), granting an attacker unrestricted access to domain resources by impersonating any user (e.g., with Domain Admin privileges). Kerberos, per RFC 4120, relies on the KRBTGT account---a built-in service account on every domain controller---to encrypt and sign TGTs. To forge a Golden Ticket, an attacker needs:

The KRBTGT password hash (NTLM or Kerberos key), typically extracted from a domain controller's memory using tools like Mimikatz.

Additional domain details (e.g., SID, domain name).

Process:

Compromise a domain controller (e.g., via privilege escalation).

Extract the KRBTGT hash (e.g., lsadump::dcsync /user:krbtgt).

Forge a TGT with arbitrary privileges using the hash (e.g., Mimikatz's kerberos::golden command).

The KRBTGT account itself isn't 'used' to create the ticket; its hash is the key ingredient. Unlike legitimate TGTs issued by the KDC, a Golden Ticket bypasses authentication checks, persisting until the KRBTGT password is reset (a rare event in most environments). CNSP likely highlights this as a high-severity AD attack vector.

Why other options are incorrect:

A . Local User account: Local accounts are machine-specific, lack domain privileges, and can't access the KRBTGT hash stored on domain controllers.

B . Domain User account: A standard user has no inherent access to domain controller credentials or the KRBTGT hash without escalation.

C . Service account: While service accounts may have elevated privileges, they don't automatically provide the KRBTGT hash unless compromised to domain admin level---still insufficient without targeting KRBTGT specifically.

Real-World Context: The 2014 Sony Pictures hack leveraged Golden Tickets, emphasizing the need for KRBTGT hash rotation post-breach (a complex remediation step).

Question No. 3

Where are the password hashes stored in a Microsoft Windows 64-bit system?

AC:\Windows\System64\config\SAM

BC:\Windows\System32\config\SAM

CC:\System64\config\SAM

DC:\Windows\config\System32\SAM

Show Answer

Correct Answer: B

Windows stores password hashes in the SAM (Security Account Manager) file, with a consistent location across 32-bit and 64-bit systems.

Why B is correct: The SAM file resides at C:\Windows\System32\config\SAM, locked during system operation for security. CNSP notes this for credential extraction risks.

Why other options are incorrect:

A: System64 does not exist; System32 is used even on 64-bit systems.

C: C:\System64 is invalid; the path starts with Windows.

D: config\System32 reverses the correct directory structure.

Question No. 4

Which one of the following is a phishing email?

AOnly A

BOnly B

CBoth A and B

DNone of the above
Explanation:

The screenshot shows an email labeled 'B' with the subject 'Verify your email address' purportedly from Apple. To determine if this is a phishing email, we need to analyze its content and characteristics against common phishing indicators as outlined in CNSP documentation. Since option A is not provided in the screenshot, we will evaluate email B and infer the context for A.
Analysis of Email B:
Sender and Branding: The email claims to be from 'Apple Support' and includes an Apple logo, which is a common tactic to establish trust. However, phishing emails often impersonate legitimate brands like Apple to deceive users.
Subject and Content: The subject 'Verify your email address' and the body requesting the user to verify their email by clicking a link ('Verify Your Email') are typical of phishing attempts. Legitimate companies like Apple may send verification emails, but the tone and context here raise suspicion.
Link Presence: The email contains a clickable link ('Verify Your Email') that is purportedly for email verification. The screenshot does not show the URL, but phishing emails often include malicious links that lead to fake login pages to steal credentials. CNSP emphasizes that unsolicited requests to click links for verification are a red flag.
Urgency and Vague Instructions: The email includes a statement, 'If you did not make this change or believe an unauthorized person has accessed your account, click here to cancel and secure your account.' This creates a sense of urgency, a common phishing tactic to prompt immediate action without critical thinking.
Generic Greeting: The email starts with 'Dear User,' a generic greeting often used in phishing emails. Legitimate companies like Apple typically personalize emails with the user's name.
Suspicious Elements: The email mentions 'your Apple ID (example@icloud.com),' which is a placeholder rather than a specific email address, further indicating a mass phishing campaign rather than a targeted, legitimate communication.
Phishing Indicators (per CNSP):
CNSP documentation on phishing identification lists several red flags:
Unsolicited requests for verification or account updates.
Generic greetings (e.g., 'Dear User' instead of a personalized name).
Presence of links that may lead to malicious sites (not verifiable in the screenshot but implied).
Urgency or threats (e.g., 'click here to cancel and secure your account').
Impersonation of trusted brands (e.g., Apple).
Email B exhibits multiple indicators: the generic greeting, unsolicited verification request, urgent call to action, and impersonation of Apple.
Option A Context:
Since the screenshot only shows email B, and the correct answer is 'Only B,' we can infer that email A (not shown) does not exhibit phishing characteristics. For example, A might be a legitimate email from Apple with proper personalization, no suspicious links, or a different context (e.g., a purchase confirmation rather than a verification request).
Evaluation of Options:
1. Only A: Incorrect, as email A is not shown, and the correct answer indicates B as the phishing email.
2. Only B: Correct. Email B shows clear phishing characteristics, such as impersonation, a generic greeting, an unsolicited verification link, and urgency, aligning with CNSP's phishing criteria.
3. Both A and B: Incorrect, as A is implied to be non-phishing based on the correct answer.
4. None of the above: Incorrect, as B is a phishing email.
Conclusion: Email B is a phishing email due to its impersonation of Apple, generic greeting, unsolicited verification request with a link, and use of urgency to prompt action. Since A is not shown but implied to be non-phishing, the correct answer is 'Only B.'

Show Answer

Correct Answer: B

Question No. 5

Where are the password hashes stored in the Linux file system?

A/etc/passwd

B/etc/password

C/etc/shadow

D/usr/bin/shadow

Show Answer

Correct Answer: C

In Linux, password hashes are stored in a secure file to protect user authentication data. The evolution of Linux security practices moved password storage from plaintext or weakly protected files to a more secure location.

Why C is correct: The /etc/shadow file is the standard location for storing password hashes in modern Linux systems. This file is readable only by the root user, enhancing security by restricting access. It contains encrypted password hashes (typically using algorithms like SHA-512), along with user details such as password expiration policies. CNSP documentation on Linux security emphasizes /etc/shadow as the authoritative source for password hashes, replacing older methods.

Why other options are incorrect:

A . /etc/passwd: Historically, /etc/passwd stored passwords in plaintext or weakly hashed forms (e.g., using DES), but modern systems use it only for user account information (e.g., UID, GID, home directory) and reference /etc/shadow for hashes.

B . /etc/password: This is not a valid file in the Linux file system; it appears to be a typographical error or misunderstanding, with no recognized role in password storage.

D . /usr/bin/shadow: /usr/bin contains executable binaries, not configuration or data files like password hashes. /etc/shadow is the correct path.

Unlock All Questions for The SecOps Group CNSP Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 60 Questions & Answers