Microsoft SQL Server (MSSQL) relies on specific ports for its core services, as defined by Microsoft and registered with IANA: 1433/TCP: The default port for the SQL Server Database Engine. Clients connect here for querying databases (e.g., via ODBC or JDBC). It's a well-known port, making it a frequent target for attacks if exposed. 1434/UDP: Used by the SQL Server Browser Service, which listens for incoming requests and redirects clients to the correct port/instance (especially for named instances). It's critical for discovering dynamic ports when 1433 isn't used. 1434/TCP: Less commonly highlighted but used in some configurations, such as dedicated admin connections (DAC) or when the Browser Service responds over TCP for specific instances. While 1433/TCP is the primary engine port, 1434/TCP can be involved in multi-instance setups. Technical Details: Ports can be customized (e.g., via SQL Server Configuration Manager), but these are defaults. Named instances often use dynamic ports (allocated from the ephemeral range), with the Browser Service (1434/UDP) guiding clients to them. Firewalls must allow these ports for MSSQL to function externally, posing risks if not secured (e.g., brute-force attacks on 1433/TCP). Security Implications: CNSP likely covers MSSQL port security, as vulnerabilities like SQL Slammer (2003) exploited 1434/UDP misconfigurations. Hardening includes restricting access, changing defaults, and monitoring traffic. Why other options are incorrect: A . 1433/TCP, 2433/UDP, 3433/TCP: 2433/UDP and 3433/TCP are not MSSQL standards; they're likely typos or unrelated ports. C . 1433/TCP, 2433/UDP, 1434/TCP: 2433/UDP is incorrect; 1434/UDP is the Browser Service port. D . 1533/TCP, 1434/UDP, 2434/TCP: 1533/TCP and 2434/TCP aren't associated with MSSQL; they deviate from documented defaults. Real-World Context: Tools like netstat -an | find "1433" on Windows confirm MSSQL's port usage during audits.
Question 2
What is the response from an open TCP port which is not behind a firewall?
Correct Answer: C
TCP's three-way handshake, per RFC 793, establishes a connection: Client → Server: SYN (Synchronize) packet (e.g., port 80). Server → Client: SYN-ACK (Synchronize-Acknowledge) packet if the port is open and listening. Client → Server: ACK (Acknowledge) completes the connection. Scenario: An open TCP port (e.g., 80 for HTTP) with no firewall. When a client sends a SYN to an open port (e.g., via telnet 192.168.1.1 80), the server responds with a SYN-ACK packet, indicating willingness to connect. No firewall means no filtering alters this standard response. Packet Details: SYN-ACK: Sets SYN and ACK flags in the TCP header, with a sequence number and acknowledgment number. Example: Client SYN (Seq=100), Server SYN-ACK (Seq=200, Ack=101). Security Implications: Open ports responding with SYN-ACK are easily detected (e.g., Nmap "open" state), inviting exploits if unneeded (e.g., Telnet on 23). CNSP likely stresses port minimization and monitoring. Why other options are incorrect: A . A FIN and an ACK packet: FIN-ACK closes an established connection, not a response to a new SYN. B . A SYN packet: SYN initiates a connection from the client, not a server response. D . A RST and an ACK packet: RST-ACK rejects a connection (e.g., closed port), not an open one. Real-World Context: SYN-ACK from SSH (22/TCP) confirms a server's presence during reconnaissance.
Question 3
What is the response from an open UDP port which is not behind a firewall?
Correct Answer: B
UDP's connectionless nature means it lacks inherent acknowledgment mechanisms, affecting its port response behavior. Why B is correct: An open UDP port does not respond unless an application explicitly sends a reply. Without a firewall or application response, the sender receives no feedback, per CNSP scanning guidelines. Why other options are incorrect: A: ICMP Port Unreachable indicates a closed port, not an open one. C: SYN packets are TCP-specific, not UDP. D: FIN packets are also TCP-specific.
Question 4
The Active Directory database file stores the data and schema information for the Active Directory database on domain controllers in Microsoft Windows operating systems. Which of the following file is the Active Directory database file?
Correct Answer: D
The Active Directory (AD) database on Windows domain controllers contains critical directory information, stored in a specific file format. Why D is correct: The NTDS.DIT file (NT Directory Services Directory Information Tree) is the Active Directory database file, located in C:\Windows\NTDS\ on domain controllers. It stores all AD objects (users, groups, computers) and schema data in a hierarchical structure. CNSP identifies NTDS.DIT as the key file for AD data extraction in security audits. Why other options are incorrect: A . NTDS.DAT: Not a valid AD database file; may be a confusion with other system files. B . NTDS.MDB: Refers to an older Microsoft Access database format, not used for AD. C . MSAD.MDB: Not a recognized file for AD; likely a misnomer.
Question 5
Where are the password hashes stored in a Microsoft Windows 64-bit system?
Correct Answer: B
Windows stores password hashes in the SAM (Security Account Manager) file, with a consistent location across 32-bit and 64-bit systems. Why B is correct: The SAM file resides at C:\Windows\System32\config\SAM, locked during system operation for security. CNSP notes this for credential extraction risks. Why other options are incorrect: A: System64 does not exist; System32 is used even on 64-bit systems. C: C:\System64 is invalid; the path starts with Windows. D: config\System32 reverses the correct directory structure.
