CNSP Certified Network Security Practitioner (CNSP) exam dumps questions are

the best material for you to test all the related The SecOps Group exam topics.
By using the CNSP exam dumps questions and practicing your skills, you can
increase your confidence and chances of passing the CNSP exam.

Features of Dumpsinfo’s products

Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support

Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.

Certified Network Security Practitioner (CNSP) CNSP exam free dumps

questions are available below for you to study.

Full version: CNSP Exam Dumps Questions

1.How would you establish a null session to a Windows host from a Windows command prompt?
A. net use \hostname\c$ "" /u:NULL
B. net use \hostname\c$ "" /u:""
C. net use \hostname\ipc$ "" /u:""
D. net use \hostname\ipc$ "" /u:NULL
Answer: C
Explanation:
A null session in Windows is an unauthenticated connection to certain administrative shares,
historically used for system enumeration. The net use command connects to a share, and the IPC$
(Inter-Process Communication) share is the standard target for null sessions, allowing access without
credentials when configured to permit it.
Why C is correct: The command net use \\hostname\ipc$ "" /u:"" specifies the IPC$ share and uses
empty strings for the password (first "") and username (/u:""), establishing a null session. This syntax
is correct for older Windows systems (e.g., XP or 2003) where null sessions were more permissive, a
topic covered in CNSP for legacy system vulnerabilities.
Why other options are incorrect:
A: Targets the c$ share (not typically used for null sessions) and uses /u:NULL, which is invalid
syntax; the username must be an empty string ("").
B: Targets c$ instead of ipc$, making it incorrect for null session establishment.
D: Uses ipc$ correctly but specifies /u:NULL, which is not the proper way to denote an empty
username.
Reference: CNSP "Windows Security Basics" (Section on Null Session Exploitation) details the use of
net use with IPC$ for enumeration, noting syntax and historical vulnerabilities.

2.Which SMB (Server Message Block) network protocol versions are vulnerable to the EternalBlue
(MS17-010) Windows exploit?
A. SMBv1 only
B. SMBv2 only
C. SMBv3 only
D. Both SMBv1 and SMBv2
Answer: A
Explanation:
EternalBlue (MS17-010) is an exploit targeting a buffer overflow in Microsoft’s SMB (Server Message
Block) implementation, leaked by the Shadow Brokers in 2017.
SMB enables file/printer sharing:
SMBv1 (1980s): Legacy, used in Windows NT/XP.
SMBv2 (2006, Vista): Enhanced performance/security.
SMBv3 (2012, Windows 8): Adds encryption, multichannel.
Vulnerability:
EternalBlue exploits a flaw in SMBv1’s SRVNET driver (srv.sys), allowing remote code execution via
crafted packets. Microsoft patched it in March 2017 (MS17-010). Affected OS: Windows XP to Server
2016 (pre-patch), if SMBv1 enabled.
Proof: WannaCry/NotPetya used it, targeting port 445/TCP.
Version Scope:
SMBv1 Only: The bug resides in SMBv1’s packet handling (e.g., TRANS2 requests). SMBv2/v3
rewrote this code, immune to the specific overflow.
Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).
Security Implications: CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as
EternalBlue remains a threat in legacy environments.
Why other options are incorrect:
B, C: SMBv2/v3 aren’t vulnerable; the flaw is SMBv1-specific.
D: SMBv2 isn’t affected, only SMBv1.
Real-World Context: WannaCry’s 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing
billions.
Reference: CNSP Official Documentation (Windows Exploits); Microsoft MS17-010 Bulletin.

3.Which is the correct command to change the MAC address for an Ethernet adapter in a Unix-based
system?
A. ifconfig eth0 hw ether AA:BB:CC:DD:EE:FF
B. ifconfig eth0 hdw ether AA:BB:CC:DD:EE:FF
C. ifconfig eth0 hdwr ether AA:BB:CC:DD:EE:FF
D. ifconfig eth0 hwr ether AA:BB:CC:DD:EE:FF
Answer: A
Explanation:
In Unix-based systems (e.g., Linux), the ifconfig command is historically used to configure network
interfaces, including changing the Media Access Control (MAC) address of an Ethernet adapter. The
correct syntax to set a new MAC address for an interface like eth0 is ifconfig eth0 hw ether
AA:BB:CC:DD:EE:FF, where hw specifies the hardware address type (ether for Ethernet), followed by
the new MAC address in colon-separated hexadecimal format.
Why A is correct: The hw ether argument is the standard and correct syntax recognized by ifconfig to
modify the MAC address. This command temporarily changes the MAC address until the system
reboots or the interface is reset, assuming the user has sufficient privileges (e.g., root). CNSP
documentation on network configuration and spoofing techniques validates this syntax for testing
network security controls.
Why other options are incorrect:
B: hdw is not a valid argument; it’s a typographical error and unrecognized by ifconfig.
C: hdwr is similarly invalid; no such shorthand exists in the command structure.
D: hwr is incorrect; the full keyword hw followed by ether is required for proper parsing.
Reference: CNSP "Network Interface Configuration" (Section on MAC Address Manipulation)
confirms ifconfig eth0 hw ether as the standard command, noting its use in penetration testing for
spoofing scenarios.

4.What types of attacks are phishing, spear phishing, vishing, scareware, and watering hole?
A. Probes
B. Insider threats
C. Social engineering
D. Ransomware
Answer: C
Explanation:
Social engineering exploits human psychology to manipulate individuals into divulging sensitive
information, granting access, or performing actions that compromise security. Unlike technical
exploits, it targets the "human factor," often bypassing technical defenses.
The listed attacks fit this category:
Phishing: Mass, untargeted emails (e.g., fake bank alerts) trick users into entering credentials on
spoofed sites. Uses tactics like urgency or trust (e.g., typo squatting domains).
Spear Phishing: Targeted phishing against specific individuals/organizations (e.g., CEO fraud),
leveraging reconnaissance (e.g., LinkedIn data) for credibility.
Vishing (Voice Phishing): Phone-based attacks (e.g., fake tech support calls) extract info via verbal
manipulation. Often spoofs caller ID.
Scareware: Fake alerts (e.g., “Your PC is infected!” pop-ups) scare users into installing malware or
paying for bogus fixes. Exploits fear and urgency.
Watering Hole: Compromises trusted websites frequented by a target group (e.g., industry forums),
infecting visitors via drive-by downloads. Relies on habitual trust. Technical Details:
Delivery: Email (phishing), VoIP (vishing), web (watering hole/scareware).
Payloads: Credential theft, malware (e.g., trojans), or financial fraud.
Mitigation: User training, email filters (e.g., DMARC), endpoint protection.
Security Implications: Social engineering accounts for ~90% of breaches (e.g., Verizon DBIR 2023),
as it exploits unpatchable human error. CNSP likely emphasizes awareness (e.g., phishing
simulations) and layered defenses (e.g., MFA).
Why other options are incorrect:
A. Probes: Reconnaissance techniques (e.g., port scanning) to identify vulnerabilities, not
manipulation-based like these attacks.
B. Insider threats: Malicious actions by authorized users (e.g., data theft by employees), not external
human-targeting tactics.
D. Ransomware: A malware type (e.g., WannaCry) that encrypts data for ransom, not a manipulation
method?though phishing often delivers it.
Real-World Context: The 2016 DNC hack used spear phishing to steal credentials, showing social
engineering’s potency.
Reference: CNSP Official Study Guide (Social Engineering Threats); NIST SP 800-50 (Security
Awareness Training).

5. None of the above: Incorrect, as B is a phishing email.

Conclusion: Email B is a phishing email due to its impersonation of Apple, generic greeting,
unsolicited verification request with a link, and use of urgency to prompt action. Since A is not shown
but implied to be non-phishing, the correct answer is "Only B."
Reference: CNSP "Social Engineering Attacks" (Section on Phishing Identification) lists key phishing
indicators such as impersonation, generic greetings, unsolicited links, and urgency, all of which are
present in email
B. The section also contrasts phishing emails with legitimate communications, emphasizing
personalization and context as differentiators.

6.The application is showing a TLS error message as a result of a website administrator failing to
timely renew the TLS certificate. But upon deeper analysis, it appears that the problem is brought on
by the expiration of the TLS certificate.
Which of the following statements is correct?
A. The communication between the browser and the server is now no longer over TLS.
B. The communication between the browser and the server is still over TLS.
Answer: A
Explanation:
TLS (Transport Layer Security) secures communication (e.g., HTTPS) using certificates, per RFC
8446.
A certificate includes:
Validity Period: Start and end dates (e.g., "Not After: March 8, 2025").
Purpose: Authenticates the server and encrypts the session.
Scenario: An expired TLS certificate (e.g., past "Not After" date). Modern browsers (e.g., Chrome,
Firefox) validate certificates during the handshake: ClientHello: Browser initiates TLS.
ServerHello: Server sends its certificate.
Validation: Browser checks expiration, CA trust, etc.
If expired, browsers reject the handshake, displaying errors (e.g.,
"NET::ERR_CERT_DATE_INVALID"). No session key is negotiated, and communication doesn’t
proceed over TLS. Users may bypass warnings (e.g., "Advanced > Proceed"), but this is unencrypted
or uses a fallback (not standard TLS), breaking security guarantees.
Security Implications: Expired certificates expose sites to MITM attacks, as trust is lost. CNSP likely
emphasizes certificate management (e.g., automation with Let’s Encrypt) to avoid this.
Why other options are incorrect:
B. The communication is still over TLS: False; an expired certificate halts the TLS handshake in
compliant browsers. Legacy systems might negotiate insecurely, but this isn’t "TLS" per standards.
Real-World Context: The 2019 Equifax breach partially stemmed from expired certificates missing
vulnerabilities.
Reference: CNSP Official Study Guide (TLS/SSL Security); RFC 8446 (TLS 1.3).

7.WannaCry, an attack, spread throughout the world in May 2017 using machines running on
outdated Microsoft operating systems.
What is WannaCry?
A. Ransomware
B. Malware
Answer: A
Explanation:
WannaCry is a ransomware attack that erupted in May 2017, infecting over 200,000 systems across
150 countries. It exploited the EternalBlue vulnerability (MS17-010) in Microsoft Windows SMBv1,
targeting unpatched systems (e.g., Windows XP, Server 2003). Developed by the NSA and leaked by
the Shadow Brokers, EternalBlue allowed remote code execution.
Ransomware Mechanics:
Encryption: WannaCry used RSA-2048 and AES-128 to encrypt files, appending extensions like
.wcry.
Ransom Demand: Displayed a message demanding $300C$600 in Bitcoin, leveraging a hardcoded
wallet.
Worm Propagation: Self-replicated via SMB, scanning internal and external networks, unlike typical
ransomware requiring user interaction (e.g., phishing).
Malware Context: While WannaCry is malware (malicious software), "ransomware" is the precise
subcategory, distinguishing it from viruses, trojans, or spyware. Malware is a broad term
encompassing any harmful code; ransomware specifically encrypts data for extortion. CNSP likely
classifies WannaCry as ransomware to focus on its payload and mitigation (e.g., patching, backups).
Why other options are incorrect:
B. Malware: Correct but overly generic. WannaCry’s defining trait is ransomware behavior, not just
maliciousness. Specificity matters in security taxonomy for threat response (e.g., NIST IR 8019). Real-
World Context: WannaCry crippled NHS hospitals, highlighting patch management’s criticality. A kill
switch (a domain sinkhole) halted it, but variants persist.
Reference: CNSP Official Study Guide (Malware and Exploits); Microsoft Security Bulletin MS17-010,
NIST IR 8019.

8.Which one of the following services is not a UDP-based protocol?

A. SNMP
B. NTP
C. IKE
D. SSH
Answer: D
Explanation:
Protocols are defined by their transport layer usage (TCP or UDP), impacting their security and
performance characteristics.
Why D is correct: SSH (Secure Shell) uses TCP (port 22) for reliable, connection-oriented
communication, unlike the UDP-based options. CNSP contrasts TCP and UDP protocol security.
Why other options are incorrect:
A: SNMP uses UDP (ports 161, 162) for lightweight network management.
B: NTP uses UDP (port 123) for time synchronization.
C: IKE (IPsec key exchange) uses UDP (ports 500, 4500).
Reference: CNSP "Network Protocols" (Section on Transport Layer) identifies SSH as TCP-based,
others as UDP.

9. Both A and B: Incorrect, as A is implied to be non-phishing based on the correct answer.

10.What user account is required to create a Golden Ticket in Active Directory?

A. Local User account
 B. Domain User account
C. Service account
D. KRBTGT account
Answer: D
Explanation:
A Golden Ticket is a forged Kerberos Ticket-Granting Ticket (TGT) in Active Directory (AD), granting
an attacker unrestricted access to domain resources by impersonating any user (e.g., with Domain
Admin privileges). Kerberos, per RFC 4120, relies on the KRBTGT account?a built-in service account
on every domain controller?to encrypt and sign TGTs. To forge a Golden Ticket, an attacker needs:
The KRBTGT password hash (NTLM or Kerberos key), typically extracted from a domain controller’s
memory using tools like Mimikatz.
Additional domain details (e.g., SID, domain name).
Process:
Compromise a domain controller (e.g., via privilege escalation).
Extract the KRBTGT hash (e.g., lsadump::dcsync /user:krbtgt).
Forge a TGT with arbitrary privileges using the hash (e.g., Mimikatz’s kerberos::golden command).
The KRBTGT account itself isn’t "used" to create the ticket; its hash is the key ingredient. Unlike
legitimate TGTs issued by the KDC, a Golden Ticket bypasses authentication checks, persisting until
the KRBTGT password is reset (a rare event in most environments). CNSP likely highlights this as a
high-severity AD attack vector.
Why other options are incorrect:
A. Local User account: Local accounts are machine-specific, lack domain privileges, and can’t
access the KRBTGT hash stored on domain controllers.
B. Domain User account: A standard user has no inherent access to domain controller credentials or
the KRBTGT hash without escalation.
C. Service account: While service accounts may have elevated privileges, they don’t automatically
provide the KRBTGT hash unless compromised to domain admin level?still insufficient without
targeting KRBTGT specifically.
Real-World Context: The 2014 Sony Pictures hack leveraged Golden Tickets, emphasizing the need
for KRBTGT hash rotation post-breach (a complex remediation step).
Reference: CNSP Official Study Guide (Active Directory Attacks); RFC 4120 (Kerberos), Microsoft AD
Security Guidelines.

Powered by TCPDF (www.tcpdf.org)