Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. The SecOps Group
  5. CNSP

The SecOps Group CNSP Exam
Certified Network Security Practitioner (Page 3 )

Updated On: 12-Jan-2026
Page 3 of 16
PDF with 60 Questions

What ports does an MSSQL server typically use?

  1. 1433/TCP, 2433/UDP, and 3433/TCP
  2. 1433/TCP, 1434/UDP, and 1434/TCP
  3. 1433/TCP, 2433/UDP, and 1434/TCP
  4. 1533/TCP, 1434/UDP, and 2434/TCP

Answer(s): B

Explanation:

Microsoft SQL Server (MSSQL) relies on specific ports for its core services, as defined by Microsoft and registered with IANA:
1433/TCP: The default port for the SQL Server Database Engine. Clients connect here for querying databases (e.g., via ODBC or JDBC). It's a well-known port, making it a frequent target for attacks if exposed.
1434/UDP: Used by the SQL Server Browser Service, which listens for incoming requests and redirects clients to the correct port/instance (especially for named instances). It's critical for discovering dynamic ports when 1433 isn't used.
1434/TCP: Less commonly highlighted but used in some configurations, such as dedicated admin connections (DAC) or when the Browser Service responds over TCP for specific instances.
While 1433/TCP is the primary engine port, 1434/TCP can be involved in multi-instance setups.
Technical Details:
Ports can be customized (e.g., via SQL Server Configuration Manager), but these are defaults. Named instances often use dynamic ports (allocated from the ephemeral range), with the Browser Service (1434/UDP) guiding clients to them.
Firewalls must allow these ports for MSSQL to function externally, posing risks if not secured (e.g., brute-force attacks on 1433/TCP).

Security Implications: CNSP likely covers MSSQL port security, as vulnerabilities like SQL Slammer (2003) exploited 1434/UDP misconfigurations. Hardening includes restricting access, changing defaults, and monitoring traffic.
Why other options are incorrect:
A . 1433/TCP, 2433/UDP, 3433/TCP: 2433/UDP and 3433/TCP are not MSSQL standards; they're likely typos or unrelated ports.
C . 1433/TCP, 2433/UDP, 1434/TCP: 2433/UDP is incorrect; 1434/UDP is the Browser Service port. D . 1533/TCP, 1434/UDP, 2434/TCP: 1533/TCP and 2434/TCP aren't associated with MSSQL; they deviate from documented defaults.
Real-World Context: Tools like netstat -an | find "1433" on Windows confirm MSSQL's port usage during audits.


Reference:

CNSP Official Documentation (Database Security and Ports); Microsoft SQL Server

Documentation, IANA Port Registry.



What user account is required to create a Golden Ticket in Active Directory?

  1. Local User account
  2. Domain User account
  3. Service account
  4. KRBTGT account

Answer(s): D

Explanation:

A Golden Ticket is a forged Kerberos Ticket-Granting Ticket (TGT) in Active Directory (AD), granting an attacker unrestricted access to domain resources by impersonating any user (e.g., with Domain Admin privileges). Kerberos, per RFC 4120, relies on the KRBTGT account--a built-in service account on every domain controller--to encrypt and sign TGTs. To forge a Golden Ticket, an attacker needs:
The KRBTGT password hash (NTLM or Kerberos key), typically extracted from a domain controller's memory using tools like Mimikatz.
Additional domain details (e.g., SID, domain name).
Process:
Compromise a domain controller (e.g., via privilege escalation). Extract the KRBTGT hash (e.g., lsadump::dcsync /user:krbtgt). Forge a TGT with arbitrary privileges using the hash (e.g., Mimikatz's kerberos::golden command). The KRBTGT account itself isn't "used" to create the ticket; its hash is the key ingredient. Unlike legitimate TGTs issued by the KDC, a Golden Ticket bypasses authentication checks, persisting until the KRBTGT password is reset (a rare event in most environments). CNSP likely highlights this as a high-severity AD attack vector.
Why other options are incorrect:
A . Local User account: Local accounts are machine-specific, lack domain privileges, and can't access the KRBTGT hash stored on domain controllers.
B . Domain User account: A standard user has no inherent access to domain controller credentials or the KRBTGT hash without escalation.

C . Service account: While service accounts may have elevated privileges, they don't automatically provide the KRBTGT hash unless compromised to domain admin level--still insufficient without targeting KRBTGT specifically.
Real-World Context: The 2014 Sony Pictures hack leveraged Golden Tickets, emphasizing the need for KRBTGT hash rotation post-breach (a complex remediation step).


Reference:

CNSP Official Study Guide (Active Directory Attacks); RFC 4120 (Kerberos), Microsoft AD Security Guidelines.



On a Microsoft Windows Operating System, what does the following command do? net localgroup administrators

  1. List domain admin users for the current domain
  2. Displays the local administrators group on the computer

Answer(s): B

Explanation:

The net command in Windows is a legacy tool for managing users, groups, and network resources. The subcommand net localgroup <groupname> displays information about a specified local group on the machine where it's run. Specifically:
net localgroup administrators lists all members (users and groups) of the local Administrators group on the current computer.
The local Administrators group grants elevated privileges (e.g., installing software, modifying system files) on that machine only, not domain-wide.
Output Example:

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer Members
------------------------------------------------------------------------------- Administrator
Domain Admins
The command completed successfully.

Technical Details:
Local groups are stored in the Security Accounts Manager (SAM) database (e.g.,
C:\Windows\System32\config\SAM).
This differs from domain groups (e.g., Domain Admins), managed via Active Directory. Security Implications: Enumerating local admins is a reconnaissance step in penetration testing (e.g., to escalate privileges). CNSP likely covers this command for auditing and securing Windows systems.
Why other options are incorrect:
A . List domain admin users for the current domain: This requires net group "Domain Admins" /domain, which queries the domain controller, not the local SAM. net localgroup is strictly local.

Real-World Context: Attackers use this command post-compromise (e.g., via PsExec) to identify privilege escalation targets.


Reference:

CNSP Official Documentation (Windows Security Commands); Microsoft Windows Command-Line Reference.



Which of the following files has the SUID permission set? -rwxr-sr-x 1 root root 4096 Jan 1 00:00 myfile
-rwsr-xr-x 1 root root 4896 Jan 1 08:00 myprogram
-rw-r--r-s 1 root root 4096 Jan 1 00:00 anotherfile

  1. myfile
  2. myprogram
  3. anotherfile
  4. All of the above

Answer(s): B

Explanation:

In Linux/Unix, file permissions are displayed in a 10-character string (e.g., -rwxr-xr-x), where the first character is the file type (- for regular files) and the next nine are permissions for user (owner), group, and others (rwx = read, write, execute). Special bits like SUID (Set User ID) modify execution behavior:
SUID: When set, a program runs with the owner's permissions (e.g., root) rather than the executor's. It's denoted by an s in the user execute position (replacing x if executable, or capitalized S if not).
Analysis:
-rwxr-sr-x (myfile): User: rwx, Group: r-s (SGID), Others: r-x. The s is in the group execute position, indicating SGID, not SUID.
-rwsr-xr-x (myprogram): User: rws (SUID), Group: r-x, Others: r-x. The s in the user execute position confirms SUID; owned by root, it runs as root.
-rw-r--r-s (anotherfile): User: rw-, Group: r--, Others: r-s. The s is in the others execute position, but no x exists, making it irrelevant (and not SUID). Typically, s here would be a sticky bit on directories, not files.
Security Implications: SUID binaries (e.g., /usr/bin/passwd) are common targets for privilege escalation if misconfigured (e.g., writable by non-root users). CNSP likely emphasizes auditing SUID permissions with find / -perm -u=s.
Why other options are incorrect:
A . myfile: Has SGID (s in group), not SUID.
C . anotherfile: The s doesn't indicate SUID; it's a misapplied bit without execute permission.
D . All of the above: Only myprogram has SUID.
Real-World Context: Exploiting SUID binaries is a classic Linux attack vector (e.g., CVE-2016-1247 for Nginx).


Reference:

CNSP Official Study Guide (Linux Permissions); Linux File System Documentation.



Viewing page 3 of 16
Viewing questions 9 - 12 out of 60 questions



Post your Comments and Discuss The SecOps Group CNSP exam prep with other Community members:

Join the CNSP Discussion