매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Certified Network Security Practitioner (CNSP) 온라인 연습
최종 업데이트 시간: 2025년05월04일
당신은 온라인 연습 문제를 통해 The SecOps Group CNSP 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 CNSP 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 60개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
SSH (Secure Shell), per RFC 4251, uses asymmetric cryptography (e.g., RSA, ECDSA) for secure authentication:
Key Pair:
Public Key: Freely shareable, used to encrypt or verify.
Private Key: Secret, used to decrypt or sign.
Process:
User generates a key pair (e.g., ssh-keygen -t rsa -b 4096).
Public Key is uploaded to the server, appended to ~/.ssh/authorized_keys (e.g., via ssh-copy-id).
Private Key (e.g., ~/.ssh/id_rsa) stays on the user’s machine.
Authentication: Client signs a challenge with the private key; server verifies it with the public key.
Technical Details:
Protocol: SSH-2 (RFC 4253) uses a Diffie-Hellman key exchange, then public-key auth.
Files: authorized_keys (server, 0644 perms), private key (client, 0600 perms).
Security: Private key exposure compromises all systems trusting the public key.
Security Implications: CNSP likely stresses key management (e.g., passphrases, rotation) and server-
side authorized_keys hardening (e.g., PermitRootLogin no).
Why other options are incorrect:
B: Uploading the private key reverses the model, breaking security―anyone with the server’s copy could authenticate as the user. Asymmetric crypto relies on the private key remaining secret. Real-World Context: GitHub uses SSH public keys for repository access, with private keys on user devices.
Reference: CNSP Official Documentation (SSH Security); RFC 4253 (SSH Authentication Protocol).
정답:
Explanation:
In Linux, the SGID (Set Group ID) bit alters execution or directory behavior:
On executables: Runs with the group owner’s permissions (e.g., s in group execute position).
On directories: New files inherit the directory’s group ownership.
Notation: s in group execute field (e.g., -rwxr-sr-x), or S if no execute (e.g., -rwxr-Sr-x).
Analysis:
-rwxr-sr-x (myfile): User: rwx, Group: r-s (SGID), Others: r-x. The s in group execute confirms SGID.
-rwsr-xr-x (myprogram): User: rws (SUID), Group: r-x, Others: r-x. The s is in user execute, not group―no SGID.
-rw-r--r-s (anotherfile): User: rw-, Group: r--, Others: r-s. The s is in others execute, but no x exists, rendering it meaningless (not SGID; could be a typo or sticky bit misapplied).
Security Implications: SGID executables (e.g., /usr/bin/wall) or directories (e.g., /var/local) manage group access. Misuse risks privilege escalation. CNSP likely teaches auditing with find / -perm -g=s.
Why other options are incorrect:
B: SUID, not SGID.
C: No valid SGID; s in others is irrelevant without execute.
D: Only A has SGID.
Real-World Context: SGID on /var/mail ensures mail files inherit the mail group.
Reference: CNSP Official Study Guide (Linux Permissions); Linux File System Documentation.
정답:
Explanation:
SSL/TLS protocols secure network communication, but older versions have vulnerabilities:
SSLv2 (1995): Weak ciphers, no handshake integrity (e.g., MITM via DROWN attack, CVE-2016-0800).
Deprecated by RFC 6176 (2011).
SSLv3 (1996): Vulnerable to POODLE (CVE-2014-3566), weak block ciphers (e.g., RC4). Deprecated by RFC 7568 (2015).
TLSv1.0 (1999, RFC 2246): Inherits SSLv3 flaws (e.g., BEAST, CVE-2011-3389), weak CBC ciphers.
Deprecated by PCI DSS (2018) and RFC 8996 (2021).
TLSv1.1 (2006, RFC 4346): Improved over 1.0 but lacks modern cipher suites (e.g., AEAD). Deprecated with 1.0 by RFC 8996.
TLSv1.2 (2008, RFC 5246): Secure with strong ciphers (e.g., AES-GCM), widely used today.
TLSv1.3 (2018, RFC 8446): Latest, removes legacy weaknesses, mandatory forward secrecy.
Answer. C (A and B)―SSLv2, SSLv3, TLSv1.0, and TLSv1.1 are unsafe due to exploitable flaws. TLSv1.2 and 1.3 remain secure. CNSP likely aligns with IETF/PCI standards,
mandating modern versions.
Why other options are incorrect:
A: Correct but incomplete without B.
B: Correct but incomplete without A.
D: Incorrectly includes TLSv1.2 and 1.3, which are secure and recommended. Real-World Context: POODLE forced mass SSLv3 disablement in 2014; TLS 1.0/1.1 deprecation hit legacy systems in 2021.
Reference: CNSP Official Documentation (Cryptographic Protocols); RFC 8996 (TLS Deprecation).
정답:
Explanation:
TLS (Transport Layer Security) secures communication (e.g., HTTPS) using certificates, per RFC 8446.
A certificate includes:
Validity Period: Start and end dates (e.g., "Not After: March 8, 2025").
Purpose: Authenticates the server and encrypts the session.
Scenario: An expired TLS certificate (e.g., past "Not After" date). Modern browsers (e.g., Chrome, Firefox) validate certificates during the handshake: ClientHello: Browser initiates TLS.
ServerHello: Server sends its certificate.
Validation: Browser checks expiration, CA trust, etc.
If expired, browsers reject the handshake, displaying errors (e.g., "NET::ERR_CERT_DATE_INVALID"). No session key is negotiated, and communication doesn’t proceed over TLS. Users may bypass warnings (e.g., "Advanced > Proceed"), but this is unencrypted or uses a fallback (not standard TLS), breaking security guarantees.
Security Implications: Expired certificates expose sites to MITM attacks, as trust is lost. CNSP likely emphasizes certificate management (e.g., automation with Let’s Encrypt) to avoid this.
Why other options are incorrect:
B. The communication is still over TLS: False; an expired certificate halts the TLS handshake in compliant browsers. Legacy systems might negotiate insecurely, but this isn’t "TLS" per standards. Real-World Context: The 2019 Equifax breach partially stemmed from expired certificates missing vulnerabilities.
Reference: CNSP Official Study Guide (TLS/SSL Security); RFC 8446 (TLS 1.3).
정답:
Explanation:
TCP’s three-way handshake, per RFC 793, establishes a connection:
Client → Server: SYN (Synchronize) packet (e.g., port 80).
Server → Client: SYN-ACK (Synchronize-Acknowledge) packet if the port is open and listening.
Client → Server: ACK (Acknowledge) completes the connection.
Scenario: An open TCP port (e.g., 80 for HTTP) with no firewall. When a client sends a SYN to an open port (e.g., via telnet 192.168.1.1 80), the server responds with a SYN-ACK packet, indicating willingness to connect. No firewall means no filtering alters this standard response. Packet Details:
SYN-ACK: Sets SYN and ACK flags in the TCP header, with a sequence number and acknowledgment number.
Example: Client SYN (Seq=100), Server SYN-ACK (Seq=200, Ack=101).
Security Implications: Open ports responding with SYN-ACK are easily detected (e.g., Nmap “open” state), inviting exploits if unneeded (e.g., Telnet on 23). CNSP likely stresses port minimization and monitoring.
Why other options are incorrect:
A. A FIN and an ACK packet: FIN-ACK closes an established connection, not a response to a new SYN.
B. A SYN packet: SYN initiates a connection from the client, not a server response.
D. A RST and an ACK packet: RST-ACK rejects a connection (e.g., closed port), not an open one.
Real-World Context: SYN-ACK from SSH (22/TCP) confirms a server’s presence during reconnaissance.
Reference: CNSP Official Documentation (TCP/IP Fundamentals); RFC 793 (TCP).
정답:
Explanation:
The Management Information Base (MIB) is a structured database defining manageable objects (e.g., CPU usage, interface status) in a network device. It’s part of the SNMP (Simple Network Management Protocol) framework, per RFC 1157, used for monitoring and managing network devices (e.g., routers, switches).
SNMP Mechanics:
MIB Structure: Hierarchical, with Object Identifiers (OIDs) like 1.3.6.1.2.1.1.1.0 (sysDescr).
Versions: SNMPv1, v2c (community strings), v3 (encrypted).
Ports: UDP 161 (agent), 162 (traps).
Operation: Agents expose MIB data; managers (e.g., Nagios) query it via GET/SET commands.
MIB files (e.g., IF-MIB, HOST-RESOURCES-MIB) are vendor-specific or standardized, parsed by SNMP tools (e.g., snmpwalk). CNSP likely covers SNMP for network monitoring and securing it against enumeration (e.g., weak community strings like "public").
Why other options are incorrect:
A. SMTP (Simple Mail Transfer Protocol): Email delivery (TCP 25), unrelated to MIB or device management.
C. NTP (Network Time Protocol): Time synchronization (UDP 123), not MIB-related.
D. TACACS (Terminal Access Controller Access-Control System): Authentication/authorization (TCP 49), not MIB management.
Real-World Context: SNMP misconfiguration led to the 2018 Cisco switch exploits via exposed MIB data.
Reference: CNSP Official Study Guide (Network Monitoring Protocols); RFC 1157 (SNMP).
정답:
Explanation:
UDP (User Datagram Protocol), per RFC 768, is connectionless, lacking TCP’s handshake or acknowledgment mechanisms. When a UDP packet reaches a port:
Closed Port: The host typically sends an ICMP "Destination Port Unreachable" (Type 3, Code 3) unless suppressed (e.g., by firewall or OS settings).
Open Port: If a service is listening (e.g., DNS on 53/UDP), it processes the packet but doesn’t inherently reply unless the application protocol requires it (e.g., DNS sends a response).
Scenario: An open UDP port behind a firewall, with the firewall rule allowing traffic (e.g., permit udp any host 10.0.0.1 eq 123). The packet reaches the service, but UDP itself doesn’t mandate a response. Most services (e.g., NTP, SNMP) only reply if the packet matches an expected request. In this question’s generic context (no specific service), no response is the default, as the firewall permits the packet, and the open port silently accepts it without feedback.
Security Implications: This silence makes UDP ports harder to scan (e.g., Nmap assumes "open|filtered" for no response), but exposed open ports risk amplification attacks (e.g., DNS reflection). CNSP likely contrasts UDP’s behavior with TCP for firewall rule crafting.
Why other options are incorrect:
A. ICMP message showing Port Unreachable: Occurs for closed ports, not open ones, unless the service explicitly rejects the packet (rare).
C. A SYN Packet: SYN is TCP-specific (handshake initiation), irrelevant to UDP.
D. A FIN Packet: FIN is TCP-specific (connection closure), not UDP. Real-World Context: Testing UDP 53 (DNS) with dig @8.8.8.8 +udp yields a response, but generic UDP probes (e.g., nc -u) often get silence.
Reference: CNSP Official Documentation (UDP and Firewall Behavior); RFC 768 (UDP).
정답:
Explanation:
WannaCry is a ransomware attack that erupted in May 2017, infecting over 200,000 systems across 150 countries. It exploited the EternalBlue vulnerability (MS17-010) in Microsoft Windows SMBv1, targeting unpatched systems (e.g., Windows XP, Server 2003). Developed by the NSA and leaked by the Shadow Brokers, EternalBlue allowed remote code execution.
Ransomware Mechanics:
Encryption: WannaCry used RSA-2048 and AES-128 to encrypt files, appending extensions like .wcry.
Ransom Demand: Displayed a message demanding $300C$600 in Bitcoin, leveraging a hardcoded wallet.
Worm Propagation: Self-replicated via SMB, scanning internal and external networks, unlike typical ransomware requiring user interaction (e.g., phishing).
Malware Context: While WannaCry is malware (malicious software), "ransomware" is the precise subcategory, distinguishing it from viruses, trojans, or spyware. Malware is a broad term encompassing any harmful code; ransomware specifically encrypts data for extortion. CNSP likely classifies WannaCry as ransomware to focus on its payload and mitigation (e.g., patching, backups).
Why other options are incorrect:
B. Malware: Correct but overly generic. WannaCry’s defining trait is ransomware behavior, not just maliciousness. Specificity matters in security taxonomy for threat response (e.g., NIST IR 8019). Real-World Context: WannaCry crippled NHS hospitals, highlighting patch management’s criticality. A kill switch (a domain sinkhole) halted it, but variants persist.
Reference: CNSP Official Study Guide (Malware and Exploits); Microsoft Security Bulletin MS17-010, NIST IR 8019.
정답:
Explanation:
An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4’s 32-bit scheme, vastly expanding address space (2^128 vs. 2^32). An octet is 8 bits (1 byte). To calculate octets in IPv6:
128 bits ÷ 8 bits/octet = 16 octets.
Representation:
IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), separated by colons.
Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.
Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).
Technical Note: Your original input flagged this question’s phrasing as potentially misleading, suggesting "octets" is an IPv4 term, while IPv6 uses "16-bit groups" or "hextets." While technically accurate (RFC 4291 uses "16-bit blocks"), "octets" remains a common, if informal, term in security contexts for byte-wise analysis (e.g., packet crafting). CNSP might use "octets" to test byte-level understanding, though "groups" is more precise for IPv6. Here, 16 octets (128 bits) is correct either way.
Security Implications: IPv6’s larger address space complicates scanning (e.g., Nmap struggles with 2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP). Understanding its structure aids in firewall rules and IDS signatures.
Why other options are incorrect:
B. 32: Implies 256 bits (32 × 8), far exceeding IPv6’s 128-bit design.
C. 64: Suggests 512 bits (64 × 8), unrelated to IPv6 or any IP standard.
D. 128: Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets. Real-World Context: IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw data inspection.
Reference: CNSP Official Documentation (IPv6 Networking); RFC 4291 (IP Version 6 Addressing Architecture).
정답:
Explanation:
The Windows Registry is a hierarchical database storing configuration settings for the operating system, applications, and hardware. It’s physically stored as hive files on disk, located in the directory C:\Windows\System32\Config. These files are loaded into memory at boot time and managed by the Windows kernel.
Key hive files include:
SYSTEM: Contains hardware and system configuration (e.g., drivers, services).
SOFTWARE: Stores software settings.
SAM: Security Accounts Manager data (e.g., local user accounts, passwords).
SECURITY: Security policies and permissions.
DEFAULT: Default user profile settings.
USERDIFF and user-specific hives (e.g., NTUSER.DAT in C:\Users<username>) for individual profiles,
though these are linked to Config indirectly.
Technical Details:
Path: C:\Windows\System32\Config is the primary location for system-wide hives. Files lack extensions (e.g., "SYSTEM" not "SYSTEM.DAT") and are backed by transaction logs (e.g., SYSTEM.LOG) for recovery.
Access: Direct file access is restricted while Windows runs, as the kernel locks them. Tools like reg save or offline forensic utilities (e.g., RegRipper) can extract them.
Backup: Copies may exist in C:\Windows\System32\config\RegBack (pre-Windows 10 1803) or repair folders (e.g., C:\Windows\Repair).
Security Implications: The registry is a prime target for attackers (e.g., persistence via Run keys) and malware (e.g., WannaCry modified registry entries). CNSP likely emphasizes securing this directory (e.g., NTFS permissions) and auditing changes (e.g., via Event Viewer, Event ID 4657). Compromising these files offline (e.g., via physical access) can extract password hashes from SAM.
Why other options are incorrect:
A. C:\Windows\debug: Used for debug logs (e.g., memory.dmp) or tools like DebugView, not registry hives. It’s unrelated to core configuration storage.
C. C:\Windows\security: Contains security-related files (e.g., audit logs, policy templates), but not the registry hives themselves.
D. All of the above: Only B is correct; including A and C dilutes accuracy. Real-World Context: Forensic analysts target C:\Windows\System32\Config during investigations (e.g., parsing SAM with Mimikatz offline).
Reference: CNSP Official Study Guide (Windows Security Architecture); Microsoft Windows Registry Documentation.
정답:
Explanation:
TCP (Transmission Control Protocol) ensures reliable, ordered data delivery via a connection-oriented handshake, contrasting with UDP’s lightweight, connectionless approach.
Analyzing each service:
C. HTTP (Hypertext Transfer Protocol): Uses TCP (port 80) for web traffic. TCP’s reliability ensures HTML, images, etc., arrive intact. HTTPS (TCP 443) extends this with TLS. RFC 2616 mandates TCP.
A. SNMP (Simple Network Management Protocol): Defaults to UDP (port 161) for monitoring devices. UDP’s speed suits its lightweight queries, though TCP variants exist (rarely used).
B. NTP (Network Time Protocol): Uses UDP (port 123) per RFC 5905. UDP minimizes latency for time
sync, tolerating occasional packet loss.
D. IKE (Internet Key Exchange): Part of IPsec, uses UDP (port 500) per RFC 7296. UDP suits its negotiation phase; TCP isn’t standard.
Security Implications: TCP services like HTTP are more prone to state-based attacks (e.g., SYN floods) than UDP counterparts. CNSP likely contrasts TCP vs. UDP in protocol analysis.
Why other options are incorrect:
A, B, D: All default to UDP for efficiency, not TCP’s reliability. Real-World Context: Firewalls prioritize TCP 80/443 rules for HTTP/HTTPS, while UDP 123 is opened for NTP servers.
Reference: CNSP Official Study Guide (Network Protocols); RFC 2616 (HTTP), RFC 1155 (SNMP).
정답:
Explanation:
The prefix $2a$ identifies the bcrypt hashing algorithm, which is based on the Blowfish symmetric encryption cipher (developed by Bruce Schneier).
Bcrypt is purpose-built for password hashing, incorporating:
Salt: A random string (e.g., 22 Base64 characters) to thwart rainbow table attacks.
Work Factor: A cost parameter (e.g., $2a$10$ means 2^10 iterations), making it computationally expensive to brute-force.
Format: $2a$[cost]$[salt][hash]
Example: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
$2a$: Bcrypt variant (original is $2$; $2a$ fixes a minor bug).
$10$: 1024 iterations.
Next 22 characters: Salt.
Remaining: Hashed password.
Used in /etc/shadow on Linux, bcrypt’s adaptive nature ensures it remains secure as hardware improves. CNSP likely includes it in cryptography modules for its strength over older algorithms like MD5.
Why other options are incorrect:
B. SHA256: Part of the SHA-2 family, outputs a 64-character hexadecimal string (e.g., e3b0c442...), no $ prefix. It’s faster, less suited for passwords.
C. MD5: Produces a 32-character hex string (e.g., d41d8cd9...), no prefix. It’s cryptographically broken (collisions found).
D. SHA512: SHA-2 variant, 128-character hex (e.g., cf83e135...), no $ prefix, not salted by default. Real-World Context: Bcrypt protects SSH keys and web app passwords (e.g., in PHP’s password_hash()).
Reference: CNSP Official Documentation (Cryptography); Bcrypt Specification, RFC 1321 (MD5).
정답:
Explanation:
In Linux/Unix, file permissions are displayed in a 10-character string (e.g., -rwxr-xr-x), where the first character is the file type (- for regular files) and the next nine are permissions for user (owner), group, and others (rwx = read, write, execute).
Special bits like SUID (Set User ID) modify execution behavior:
SUID: When set, a program runs with the owner’s permissions (e.g., root) rather than the executor’s. It’s denoted by an s in the user execute position (replacing x if executable, or capitalized S if not).
Analysis:
-rwxr-sr-x (myfile): User: rwx, Group: r-s (SGID), Others: r-x. The s is in the group execute position, indicating SGID, not SUID.
-rwsr-xr-x (myprogram): User: rws (SUID), Group: r-x, Others: r-x. The s in the user execute position confirms SUID; owned by root, it runs as root.
-rw-r--r-s (anotherfile): User: rw-, Group: r--, Others: r-s. The s is in the others execute position, but no x exists, making it irrelevant (and not SUID). Typically, s here would be a sticky bit on directories, not files.
Security Implications: SUID binaries (e.g., /usr/bin/passwd) are common targets for privilege
escalation if misconfigured (e.g., writable by non-root users). CNSP likely emphasizes auditing SUID
permissions with find / -perm -u=s.
Why other options are incorrect:
A. myfile: Has SGID (s in group), not SUID.
C. anotherfile: The s doesn’t indicate SUID; it’s a misapplied bit without execute permission.
D. All of the above: Only myprogram has SUID.
Real-World Context: Exploiting SUID binaries is a classic Linux attack vector (e.g., CVE-2016-1247 for Nginx).
Reference: CNSP Official Study Guide (Linux Permissions); Linux File System Documentation.
정답:
Explanation:
The net command in Windows is a legacy tool for managing users, groups, and network resources. The subcommand net localgroup <groupname> displays information about a specified local group on the machine where it’s run. Specifically:
net localgroup administrators lists all members (users and groups) of the local Administrators group on the current computer.
The local Administrators group grants elevated privileges (e.g., installing software, modifying system
files) on that machine only, not domain-wide.
Output Example:
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
The command completed successfully.
Technical Details:
Local groups are stored in the Security Accounts Manager (SAM) database (e.g., C:\Windows\System32\config\SAM).
This differs from domain groups (e.g., Domain Admins), managed via Active Directory.
Security Implications: Enumerating local admins is a reconnaissance step in penetration testing (e.g., to escalate privileges). CNSP likely covers this command for auditing and securing Windows systems.
Why other options are incorrect:
A. List domain admin users for the current domain: This requires net group "Domain Admins" /domain, which queries the domain controller, not the local SAM. net localgroup is strictly local. Real-World Context: Attackers use this command post-compromise (e.g., via PsExec) to identify privilege escalation targets.
Reference: CNSP Official Documentation (Windows Security Commands); Microsoft Windows Command-Line Reference.
정답:
Explanation:
A Golden Ticket is a forged Kerberos Ticket-Granting Ticket (TGT) in Active Directory (AD), granting an attacker unrestricted access to domain resources by impersonating any user (e.g., with Domain Admin privileges). Kerberos, per RFC 4120, relies on the KRBTGT account―a built-in service account on every domain controller―to encrypt and sign TGTs. To forge a Golden Ticket, an attacker needs: The KRBTGT password hash (NTLM or Kerberos key), typically extracted from a domain controller’s memory using tools like Mimikatz.
Additional domain details (e.g., SID, domain name).
Process:
Compromise a domain controller (e.g., via privilege escalation).
Extract the KRBTGT hash (e.g., lsadump::dcsync /user:krbtgt).
Forge a TGT with arbitrary privileges using the hash (e.g., Mimikatz’s kerberos::golden command).
The KRBTGT account itself isn’t "used" to create the ticket; its hash is the key ingredient. Unlike
legitimate TGTs issued by the KDC, a Golden Ticket bypasses authentication checks, persisting until
the KRBTGT password is reset (a rare event in most environments). CNSP likely highlights this as a
high-severity AD attack vector.
Why other options are incorrect:
A. Local User account: Local accounts are machine-specific, lack domain privileges, and can’t access the KRBTGT hash stored on domain controllers.
B. Domain User account: A standard user has no inherent access to domain controller credentials or the KRBTGT hash without escalation.
C. Service account: While service accounts may have elevated privileges, they don’t automatically provide the KRBTGT hash unless compromised to domain admin level―still insufficient without targeting KRBTGT specifically.
Real-World Context: The 2014 Sony Pictures hack leveraged Golden Tickets, emphasizing the need for KRBTGT hash rotation post-breach (a complex remediation step).
Reference: CNSP Official Study Guide (Active Directory Attacks); RFC 4120 (Kerberos), Microsoft AD Security Guidelines.