Curious about Actual The SecOps Group CNSP Certification (CNSP) Exam Questions?

Correct : A

EternalBlue (MS17-010) is an exploit targeting a buffer overflow in Microsoft's SMB (Server Message Block) implementation, leaked by the Shadow Brokers in 2017. SMB enables file/printer sharing:

SMBv1 (1980s): Legacy, used in Windows NT/XP.

SMBv2 (2006, Vista): Enhanced performance/security.

SMBv3 (2012, Windows 8): Adds encryption, multichannel.

Vulnerability:

EternalBlue exploits a flaw in SMBv1's SRVNET driver (srv.sys), allowing remote code execution via crafted packets. Microsoft patched it in March 2017 (MS17-010).

Affected OS: Windows XP to Server 2016 (pre-patch), if SMBv1 enabled.

Proof: WannaCry/NotPetya used it, targeting port 445/TCP.

SMBv1 Only: The bug resides in SMBv1's packet handling (e.g., TRANS2 requests). SMBv2/v3 rewrote this code, immune to the specific overflow.

Microsoft: Post-patch, SMBv1 is disabled by default (Windows 10 1709+).

Security Implications: CNSP likely stresses disabling SMBv1 (e.g., via Group Policy) and patching, as EternalBlue remains a threat in legacy environments.

Why other options are incorrect:

B, C: SMBv2/v3 aren't vulnerable; the flaw is SMBv1-specific.

D: SMBv2 isn't affected, only SMBv1.

Real-World Context: WannaCry's 2017 rampage hit unpatched SMBv1 systems (e.g., NHS), costing billions.

Correct : B

In Windows, security principals (users, groups) are identified by a Security Identifier (SID), formatted as S-1--<domain>-<RID>. The RID (Relative Identifier) is the final component, unique within a domain or machine. For local accounts:

RID 500: Assigned to the built-in Administrator account on every Windows machine (e.g., S-1-5-21-<machine>-500).

Created during OS install, with full system privileges.

Disabled by default in newer Windows versions (e.g., 10/11) unless explicitly enabled.

RID 501: Guest account (e.g., S-1-5-21-<machine>-501), limited access.

Technical Details:

Stored in SAM (C:\Windows\System32\config\SAM).

Enumeration: Tools like wmic useraccount or net user reveal RIDs.

Domain Context: Domain Admins use RID 512, but the question specifies a local machine.

Security Implications: RID 500 is a prime target for brute-forcing or pass-the-hash attacks (e.g., Mimikatz). CNSP likely advises renaming/disabling it (e.g., via GPO).

Why other options are incorrect:

A . 0: Reserved (e.g., Null SID, S-1-0-0), not a user RID.

C . 501: Guest, not Administrator.

D . 100: Invalid; local user RIDs start at 1000 (e.g., custom accounts).

Real-World Context: Post-compromise, attackers query RID 500 (e.g., net user Administrator) for privilege escalation.

Correct : C

An IP address with a /18 prefix (CIDR notation) indicates 18 network bits in the subnet mask, leaving 14 host bits (32 total bits - 18). For IPv4 (e.g., 192.168.0.1):

Binary Mask: First 18 bits are 1s, rest 0s.

1st octet: 11111111 (255)

2nd octet: 11111111 (255)

3rd octet: 11000000 (192)

4th octet: 00000000 (0)

Decimal: 255.255.192.0

Calculation:

Bits: /18 = 2^14 hosts (16,384), minus 2 (network/broadcast) = 16,382 usable.

Range: 192.168.0.0--192.168.63.255 (3rd octet: 0--63, as 192 = 11000000 covers 6 bits).

Technical Details:

Subnet masks align on octet boundaries or mid-octet (e.g., 192 = 2^7 + 2^6).

Contrast: /24 = 255.255.255.0 (256 hosts), /16 = 255.255.0.0 (65,536 hosts).

Security Implications: Larger subnets (e.g., /18) increase broadcast domains, risking amplification attacks. CNSP likely teaches subnetting for segmentation (e.g., VLANs).

Why other options are incorrect:

A . 255.255.255.0: /24 (8 host bits), not /18.

B . 255.225.225.0: Invalid mask (225 = 11100001, non-contiguous 1s).

D . 255.225.192.0: Invalid (225 breaks binary sequence).

Real-World Context: Subnetting 192.168.0.0/18 isolates departments in enterprise networks.

Correct : D

ICMP (Internet Control Message Protocol), per RFC 792, handles diagnostics (e.g., ping) and errors in IP networks. It's exploitable in:

A . Ping of Death:

Method: Sends oversized ICMP Echo Request packets (>65,535 bytes) via fragmentation. Reassembly overflows buffers, crashing older systems (e.g., Windows 95).

Fix: Modern OSes cap packet size (e.g., ping -s 65500).

B . Smurf Attack:

Method: Spoofs ICMP Echo Requests to a network's broadcast address (e.g., 192.168.255.255). All hosts reply, flooding the victim.

Amplification: 100 hosts = 100x traffic.

C . ICMP Flooding:

Method: Overwhelms a target with ICMP Echo Requests (e.g., ping -f), consuming bandwidth/CPU.

Variant: BlackNurse attack targets firewalls.

Technical Details:

ICMP Type 8 (Echo Request), Type 0 (Echo Reply) are key.

Mitigation: Rate-limit ICMP, disable broadcasts (e.g., no ip directed-broadcast).

Security Implications: ICMP attacks are DoS vectors. CNSP likely teaches filtering (e.g., iptables -p icmp -j DROP) balanced with diagnostics need.

Why other options are incorrect:

A, B, C individually: All are ICMP-based; D is comprehensive.

Real-World Context: Smurf attacks peaked in the 1990s; modern routers block them by default.

Correct : C

A Silver Ticket is a forged Kerberos Service Ticket (TGS - Ticket Granting Service) in Active Directory, granting access to a specific service (e.g., MSSQL, CIFS) without KDC interaction. Unlike a Golden Ticket (TGT forgery), it requires:

Service Account's NTLM Hash: The target service's account (e.g., MSSQLSvc) hash, not a ticket.

Forgery: Tools like Mimikatz craft the TGS (e.g., kerberos::golden /service:<spn> /user:<user> /ntlm:<hash>).

Kerberos Flow (RFC 4120):

TGT (Ticket-Granting Ticket): Obtained via AS (Authentication Service) with user creds.

TGS: Requested from TGS (Ticket Granting Service) using TGT for service access.

Silver Ticket Process:

No TGT needed; the attacker mimics the TGS step using the service account's stolen hash (e.g., from a compromised host).

C . Service Account Ticket: Misnomer---it's the hash of the service account (e.g., MSSQLSvc) that enables forgery, not a pre-existing ticket. CNSP's phrasing likely tests this nuance.

Security Implications: Silver Tickets are stealthier than Golden Tickets (service-specific, shorter-lived). CNSP likely stresses hash protection (e.g., LAPS) and Kerberos monitoring.

Why other options are incorrect:

A . Session Ticket: Not a Kerberos term; confuses session keys.

B . TGT: Used for Golden Tickets, not Silver.

D: Incorrect; the service account's hash (implied by ''ticket'') is essential.

Real-World Context: Silver Tickets exploited in APT29 attacks (2020 SolarWinds) for lateral movement.