WannaCry is a ransomware attack that erupted in May 2017, infecting over 200,000 systems across

150 countries. It exploited the EternalBlue vulnerability (MS17-010) in Microsoft Windows SMBv1,

targeting unpatched systems (e.g., Windows XP, Server 2003). Developed by the NSA and leaked by

the Shadow Brokers, EternalBlue allowed remote code execution.

Ransomware Mechanics:

Encryption: WannaCry used RSA-2048 and AES-128 to encrypt files, appending extensions like .wcry.

Ransom Demand: Displayed a message demanding $300–$600 in Bitcoin, leveraging a hardcoded

wallet.

Worm Propagation: Self-replicated via SMB, scanning internal and external networks, unlike typical

ransomware requiring user interaction (e.g., phishing).

Malware Context: While WannaCry is malware (malicious software), "ransomware" is the precise

subcategory, distinguishing it from viruses, trojans, or spyware. Malware is a broad term

encompassing any harmful code; ransomware specifically encrypts data for extortion. CNSP likely

classifies WannaCry as ransomware to focus on its payload and mitigation (e.g., patching, backups).

Why other options are incorrect:

B . Malware: Correct but overly generic. WannaCry’s defining trait is ransomware behavior, not just

maliciousness. Specificity matters in security taxonomy for threat response (e.g., NIST IR 8019).

Real-World Context: WannaCry crippled NHS hospitals, highlighting patch management’s criticality. A

kill switch (a domain sinkhole) halted it, but variants persist.

Reference: CNSP Official Study Guide (Malware and Exploits); Microsoft Security Bulletin MS17-010,

NIST IR 8019.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) port numbers are defined by

a 16-bit field in their packet headers, as specified in RFC 793 (TCP) and RFC 768 (UDP). A 16-bit

integer ranges from 0 to 65,535, yielding a total of 65,536 possible ports (2^16). However, port 0 is

universally reserved across both protocols and is not considered "usable" for standard network

communication. According to the Internet Assigned Numbers Authority (IANA), port 0 is designated

for special purposes, such as indicating an invalid or dynamic port assignment in some systems (e.g.,

when a client requests an ephemeral port). In practice, operating systems and applications avoid

binding to port 0 for listening services, and it’s often used in error conditions or as a placeholder in

protocol implementations (e.g., socket programming).

Thus, the usable port range spans from 1 to 65,535, totaling 65,535 ports. These ports are

categorized by IANA into:

Well-Known Ports (0–1023): Reserved for system services (e.g., HTTP on 80/TCP). Note that 0 is still

reserved within this range.

Registered Ports (1024–49151): Assigned to user applications.

Dynamic/Ephemeral Ports (49152–65535): Used temporarily by clients.

From a security perspective, understanding the usable port count is critical for firewall configuration,

port scanning (e.g., with Nmap), and detecting anomalies (e.g., services binding to unexpected

ports). Misconfiguring a system to use port 0 could lead to protocol errors or expose vulnerabilities,

though it’s rare. The CNSP curriculum likely emphasizes this distinction to ensure practitioners can

accurately scope network security assessments.

Why other options are incorrect:

A . 65536: This reflects the total number of possible ports (0–65535), but it includes the reserved port

0, which isn’t usable for typical TCP/UDP communication. In security contexts, including port 0 in a

count could lead to misconfigured rules or scanning errors.

C . 63535: This is an arbitrary number with no basis in the 16-bit port structure. It might stem from a

typo or misunderstanding (e.g., subtracting 2000 from 65535 incorrectly), but it’s invalid.

D . 65335: Similarly, this lacks grounding in protocol standards. It could be a miscalculation (e.g.,

subtracting 200 from 65535), but it doesn’t align with TCP/UDP specifications.

Real-World Context: In penetration testing, tools like Nmap scan ports 1–65535 by default, excluding

0 unless explicitly specified (e.g., -p0-65535), reinforcing that 65,535 is the practical usable count.

Reference: CNSP Official Study Guide (Network Protocols and Ports); RFC 793 (TCP), RFC 768 (UDP),

IANA Service Name and Transport Protocol Port Number Registry.

Online attacks require real-time interaction with a target system (e.g., a login interface), whereas

offline attacks occur without direct system interaction, typically after obtaining data like password

hashes. A rainbow table attack is an offline method that uses precomputed tables of hash values to

reverse-engineer passwords from stolen hash databases, distinguishing it from the other options,

which are online.

Why B is correct: Rainbow table attacks are performed offline after an attacker has already acquired a

hash (e.g., from a compromised database). The attacker matches the hash against precomputed

tables to find the plaintext password, requiring no interaction with the target system during the

attack. CNSP classifies this as an offline password recovery technique.

Why other options are incorrect:

A: Brute force attacks involve repeatedly submitting password guesses to a live system (e.g., via SSH

or a web login), making it an online attack.

C: Password spraying attacks test a few common passwords across many accounts on a live system,

also an online attack aimed at avoiding lockouts.

D: Phishing attacks trick users into submitting credentials through fake interfaces (e.g., emails or

websites), requiring real-time interaction and thus classified as online.

Reference: CNSP "Password Attack Methodologies" (Section on Online vs. Offline Attacks) defines

rainbow table attacks as offline and contrasts them with online methods like brute force and

phishing.

A DNS zone transfer replicates an entire DNS zone (a collection of DNS records for a domain) from a

primary nameserver to a secondary one, typically for redundancy or load balancing. The AXFR

(Authoritative Full Zone Transfer) query type, defined in RFC 1035, facilitates this process. The dig

(Domain Information Groper) tool, a staple in Linux/Unix environments, is used to query DNS

servers. The correct syntax is:

dig @ axfr

Here, dig @10.0.0.1 victim.com axfr instructs dig to request a zone transfer for "victim.com" from the

nameserver at 10.0.0.1. The @ symbol specifies the target server, overriding the system’s default

resolver.

Technical Details:

The AXFR query is sent over TCP (port 53), not UDP, due to the potentially large size of zone data,

which exceeds UDP’s typical 512-byte limit (pre-EDNS0).

Successful execution requires the nameserver to permit zone transfers from the querying IP, often

restricted to trusted secondaries via Access Control Lists (ACLs) for security. If restricted, the server

responds with a "REFUSED" error.

Security Implications: Zone transfers expose all DNS records (e.g., A, MX, NS), making them a

reconnaissance goldmine for attackers if misconfigured. CNSP likely emphasizes securing DNS servers

against unauthorized AXFR requests, using tools like dig to test vulnerabilities.

Why other options are incorrect:

A . dig @10.0.0.1 victim.com axrfr: "axrfr" is a typographical error. The correct query type is "axfr."

Executing this would result in a syntax error or an unrecognized query type response from dig.

B . dig @10.0.0.1 victim.com afxr: "afxr" is another typo, not a valid DNS query type per RFC 1035.

dig would fail to interpret this, likely outputting an error like "unknown query type."

C . dig @10.0.0.1 victim.com arfxr: "arfxr" is also invalid, a jumbled version of "axfr." It holds no

meaning in DNS protocol standards and would fail similarly.

Real-World Context: Penetration testers use dig ... axfr to identify misconfigured DNS servers. For

example, dig @ns1.example.com example.com axfr might reveal subdomains or internal IPs if not

locked down.

Reference: CNSP Official Documentation (DNS Security and Tools); RFC 1035 (Domain Names -

Implementation and Specification).

Negotiating a shared encryption key involves a process where two parties agree on a secret key over

an insecure channel without directly transmitting it. This is distinct from encryption or hashing

algorithms, which serve different purposes.

Why C is correct: The Diffie-Hellman (DH) algorithm is a key exchange protocol that enables two

parties to establish a shared secret key using mathematical operations (e.g., modular

exponentiation). It’s widely used in protocols like TLS and IPsec, as noted in CNSP for secure key

negotiation.

Why other options are incorrect:

A: Triple-DES is a symmetric encryption algorithm for data encryption, not key negotiation.

B: SHA1 is a hash function for integrity, not key exchange.

D: AES is a symmetric encryption algorithm, not a key exchange mechanism.

Reference: CNSP "Cryptographic Protocols" (Section on Key Exchange) describes Diffie-Hellman as

the standard for shared key negotiation, contrasting it with encryption algorithms.

UDP (User Datagram Protocol), per RFC 768, is connectionless, lacking TCP’s handshake or

acknowledgment mechanisms. When a UDP packet reaches a port:

Closed Port: The host typically sends an ICMP "Destination Port Unreachable" (Type 3, Code 3) unless

suppressed (e.g., by firewall or OS settings).

Open Port: If a service is listening (e.g., DNS on 53/UDP), it processes the packet but doesn’t

inherently reply unless the application protocol requires it (e.g., DNS sends a response).

Scenario: An open UDP port behind a firewall, with the firewall rule allowing traffic (e.g., permit udp

any host 10.0.0.1 eq 123). The packet reaches the service, but UDP itself doesn’t mandate a

response. Most services (e.g., NTP, SNMP) only reply if the packet matches an expected request. In

this question’s generic context (no specific service), no response is the default, as the firewall permits

the packet, and the open port silently accepts it without feedback.

Security Implications: This silence makes UDP ports harder to scan (e.g., Nmap assumes

"open|filtered" for no response), but exposed open ports risk amplification attacks (e.g., DNS

reflection). CNSP likely contrasts UDP’s behavior with TCP for firewall rule crafting.

Why other options are incorrect:

A . ICMP message showing Port Unreachable: Occurs for closed ports, not open ones, unless the

service explicitly rejects the packet (rare).

C . A SYN Packet: SYN is TCP-specific (handshake initiation), irrelevant to UDP.

D . A FIN Packet: FIN is TCP-specific (connection closure), not UDP.

Real-World Context: Testing UDP 53 (DNS) with dig @8.8.8.8 +udp yields a response, but generic UDP

probes (e.g., nc -u) often get silence.

Reference: CNSP Official Documentation (UDP and Firewall Behavior); RFC 768 (UDP).

An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4’s 32-bit scheme,

vastly expanding address space (2^128 vs. 2^32). An octet is 8 bits (1 byte). To calculate octets in

IPv6:

128 bits ÷ 8 bits/octet = 16 octets.

Representation:

IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334),

separated by colons.

Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.

Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).

Technical Note: Your original input flagged this question’s phrasing as potentially misleading,

suggesting "octets" is an IPv4 term, while IPv6 uses "16-bit groups" or "hextets." While technically

accurate (RFC 4291 uses "16-bit blocks"), "octets" remains a common, if informal, term in security

contexts for byte-wise analysis (e.g., packet crafting). CNSP might use "octets" to test byte-level

understanding, though "groups" is more precise for IPv6. Here, 16 octets (128 bits) is correct either

way.

Security Implications: IPv6’s larger address space complicates scanning (e.g., Nmap struggles with

2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP).

Understanding its structure aids in firewall rules and IDS signatures.

Why other options are incorrect:

B . 32: Implies 256 bits (32 × 8), far exceeding IPv6’s 128-bit design.

C . 64: Suggests 512 bits (64 × 8), unrelated to IPv6 or any IP standard.

D . 128: Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets.

Real-World Context: IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw

data inspection.

Reference: CNSP Official Documentation (IPv6 Networking); RFC 4291 (IP Version 6 Addressing

Architecture).

SNMP community strings authenticate access, with defaults posing security risks if unchanged.

Why C is correct:

A: "public" is the standard read-only default, per SNMP specs and CNSP.

B: "private" is the standard read-write default, also per SNMP and CNSP.

Both are true, making C the answer.

Why other options are incorrect:

1, 2: Exclude one true statement each.

4: Both statements are true, so "none" is wrong.

Reference: CNSP "SNMP Security" (Section on Defaults) confirms "public" and "private" as standard

community strings.

The net localgroup command manages local group memberships on Windows systems, with syntax

dictating its action.

Why B is correct: net localgroup Sales Sales_domain /add adds the domain group Sales_domain to

the local group Sales, granting its members local group privileges. CNSP covers this for privilege

escalation testing.

Why other options are incorrect:

A: Displaying users requires net localgroup Sales without /add.

C: Adding a user requires a username, not a group name like Sales_domain.

D: The reverse (local to domain) uses net group, not net localgroup.

Reference: CNSP "Windows Group Management" (Section on net Commands) explains net

localgroup for adding domain groups.

SNMP (Simple Network Management Protocol) uses community strings as a basic form of

authentication. The default read-only community string "public" is widely known, and if left

unchanged, it exposes devices to unauthorized access. The primary risk with "public" is information

disclosure, as it typically grants read-only access, allowing attackers to gather sensitive data (e.g.,

device configurations, network topology) without altering settings.

Why A is correct: With the "public" string, an attacker can use tools like snmpwalk to enumerate

device details (e.g., system uptime, interfaces, or software versions) via SNMP queries. This aligns

with CNSP’s focus on reconnaissance risks during security audits, emphasizing the danger of default

credentials enabling passive data collection.

Why other options are incorrect:

B: While modifying settings is a risk with SNMP, the default "public" string is typically read-only.

Changing configurations requires a read-write community string (e.g., "private"), which isn’t implied

here. Thus, snmpset would not work with "public" alone.

C: Since B is incorrect in this context, C (both A and B) cannot be the answer.

D: The risk in A is valid, so "none of the above" is incorrect.

Reference: CNSP "Network Device Security" (Section on SNMP Security) highlights the

reconnaissance risk of default "public" strings and tools like snmpwalk for exploitation, distinguishing

read-only from read-write access.