The SecOps Group Updated CNSP Exam Questions and Answers by alfie-james

SSH (Secure Shell), per RFC 4251, uses asymmetric cryptography (e.g., RSA, ECDSA) for secure authentication:

Key Pair:

Public Key:Freely shareable, used to encrypt or verify.

Private Key:Secret, used to decrypt or sign.

Process:

User generates a key pair (e.g., ssh-keygen -t rsa -b 4096).

Public Keyis uploaded to the server, appended to ~/.ssh/authorized_keys (e.g., via ssh-copy-id).

Private Key(e.g., ~/.ssh/id_rsa) stays on the user’s machine.

Authentication: Client signs a challenge with the private key; server verifies it with the public key.

Technical Details:

Protocol: SSH-2 (RFC 4253) uses a Diffie-Hellman key exchange, then public-key auth.

Files: authorized_keys (server, 0644 perms), private key (client, 0600 perms).

Security: Private key exposure compromises all systems trusting the public key.

Security Implications:CNSP likely stresses key management (e.g., passphrases, rotation) and server-side authorized_keys hardening (e.g., PermitRootLogin no).

Why other options are incorrect:

B:Uploading the private key reverses the model, breaking security—anyone with the server’s copy could authenticate as the user. Asymmetric crypto relies on the private key remaining secret.

Real-World Context:GitHub uses SSH public keys for repository access, with private keys on user devices.References:CNSP Official Documentation (SSH Security); RFC 4253 (SSH Authentication Protocol).

Kerberos is the default authentication protocol in Windows Active Directory environments, andtickets are used to prove identity. Verifying ticket validity involves checking their status, expiration, and attributes, which requires a built-in tool available in modern Windows systems.

Why A is correct:Klist is a command-line utility included in Windows (since Vista/2008) that lists cached Kerberos tickets and their details, such as validity period and renewal status. CNSP recognizes it as the standard tool for Kerberos ticket management in security audits.

Why other options are incorrect:

B:Kerbtray is a graphical tool from the Windows Resource Kit, not a built-in utility, and is outdated.

C:Netsh manages network configurations, not Kerberos tickets.

D:"Kerberos Manager" is not a recognized built-in Windows utility; it’s a fictitious name.

References:CNSP "Authentication Protocols" (Section on Kerberos) identifies Klist as the built-in tool for ticket verification, contrasting it with deprecated or external tools.

TLS (Transport Layer Security)secures communication (e.g., HTTPS) using certificates, per RFC 8446. A certificate includes:

Validity Period:Start and end dates (e.g., "Not After: March 8, 2025").

Purpose:Authenticates the server and encrypts the session.

Scenario:An expired TLS certificate (e.g., past "Not After" date). Modern browsers (e.g., Chrome, Firefox) validate certificates during the handshake:

ClientHello:Browser initiates TLS.

ServerHello:Server sends its certificate.

Validation:Browser checks expiration, CA trust, etc.

If expired, browsers reject the handshake, displaying errors (e.g., "NET::ERR_CERT_DATE_INVALID"). No session key is negotiated, andcommunication doesn’t proceed over TLS. Users may bypass warnings (e.g., "Advanced > Proceed"), but this is unencrypted or uses a fallback (not standard TLS), breaking security guarantees.

Security Implications:Expired certificates expose sites to MITM attacks, as trust is lost. CNSP likely emphasizes certificate management (e.g., automation with Let’s Encrypt) to avoid this.

Why other options are incorrect:

B. The communication is still over TLS:False; an expired certificate halts the TLS handshake in compliant browsers. Legacy systems might negotiate insecurely, but this isn’t "TLS" per standards.

Real-World Context:The 2019 Equifax breach partially stemmed from expired certificates missing vulnerabilities.References:CNSP Official Study Guide (TLS/SSL Security); RFC 8446 (TLS 1.3).

TCP’sthree-way handshake, per RFC 793, establishes a connection:

Client → Server:SYN (Synchronize) packet (e.g., port 80).

Server → Client:SYN-ACK (Synchronize-Acknowledge) packet if the port is open and listening.

Client → Server:ACK (Acknowledge) completes the connection.

Scenario:Anopen TCP port(e.g., 80 for HTTP) with no firewall. When a client sends a SYN to an open port (e.g., via telnet 192.168.1.1 80), the server responds with aSYN-ACKpacket, indicating willingness to connect. No firewall means no filtering alters this standard response.

Packet Details:

SYN-ACK: Sets SYN and ACK flags in the TCP header, with a sequence number and acknowledgment number.

Example: Client SYN (Seq=100), Server SYN-ACK (Seq=200, Ack=101).

Security Implications:Open ports responding with SYN-ACK are easily detected (e.g., Nmap “open” state), inviting exploits if unneeded (e.g., Telnet on 23). CNSP likely stresses port minimization and monitoring.

Why other options are incorrect:

A. A FIN and an ACK packet:FIN-ACK closes an established connection, not a response to a new SYN.

B. A SYN packet:SYN initiates a connection from the client, not a server response.

D. A RST and an ACK packet:RST-ACK rejects a connection (e.g., closed port), not an open one.

Real-World Context:SYN-ACK from SSH (22/TCP) confirms a server’s presence during reconnaissance.References:CNSP Official Documentation (TCP/IP Fundamentals); RFC 793 (TCP).