CPSA Revision — Ports & Commands

A single-page drill sheet for the CREST Practitioner Security Analyst (CPSA) exam. Top 50 ports — first 20 are non-negotiable cold-recall — followed by every Windows and Linux / Unix command that appears in the 693-question CPSA question bank. Each entry pairs a plain-English explanation with a memory hook and a single-answer recall question.

How to use this sheet (science-backed recall)

Active recall — every entry has a question. Cover the answer, attempt cold, then reveal. Re-reading is recognition, not recall — only the question forces retrieval.
Dual coding — the Memory hook column gives a verbal+visual anchor (rhyme, image, pun) so the fact lands on two cognitive channels.
Elaborative encoding — the Use and CPSA angle columns tie each item to why it is tested, not just what it is. Meaning beats rote.
Retrieval practice with spacing — drill cold, sleep, re-test 24–48 h later. A fact recalled correctly twice across separate sessions is locked in; one pass is not.
Walk-the-wrongs — when an answer fails, identify the pattern of failure (e.g. defaulting to the most familiar tool name), not just the right answer.

Ports 1–20 — must-know
Ports 21–50 — supporting set
Linux / Unix commands
Windows commands

Ports 1–20 — Must-Know

Cold recall, every session

These eighteen ports are mandated as the per-session port drill in your CPSA study setup; the additional two — File Transfer Protocol Data (port 20) and Kerberos (port 88) — are heavily tested in the Windows and IP Protocols domains.

#	Port / Proto	Service	Use	Memory hook	CPSA angle
1	20 / Transmission Control Protocol (TCP)	File Transfer Protocol — Data (FTP-Data)	Carries the file payload during active-mode FTP; server initiates the data connection back to the client from port 20.	"20 ferries the cargo, 21 takes the orders."	Active mode pierces outbound firewalls; payload is clear-text and sniffable.
2	21 / TCP	File Transfer Protocol (FTP) Control	Login and command channel for File Transfer Protocol; cleartext authentication.	"21 = the front desk; 20 = the loading bay."	Anonymous logins, banner-grab fingerprinting, brute-force credentials.
3	22 / TCP	Secure Shell (SSH)	Encrypted remote shell, file transfer (Secure Copy / SSH File Transfer Protocol — SCP / SFTP), and tunnelling.	"Two ducks side-by-side, both encrypted — 22."	Weak ciphers, key reuse, password brute-force, agent forwarding abuse.
4	23 / TCP	Telnet	Cleartext remote shell — predecessor of Secure Shell (SSH); credentials sent in the clear.	"23 = telnet, old and naked — wears no clothes."	Sniffable creds; flag any 23/TCP as legacy gear (printers, switches, IoT).
5	25 / TCP	Simple Mail Transfer Protocol (SMTP)	Server-to-server email relay; cleartext unless STARTTLS upgraded.	"Quarter-past the hour — post the mail."	Open relay testing, VRFY/EXPN user enumeration, banner version grab.
6	53 / User Datagram Protocol (UDP) + TCP	Domain Name System (DNS)	Hostname-to-Internet Protocol address resolution. UDP for queries; TCP for zone transfers and responses larger than 512 bytes.	"Gimme fifty-three names."	Zone-transfer (Asynchronous Full Transfer Zone — AXFR) leaks, subdomain enumeration, DNS recon, cache poisoning.
7	69 / UDP	Trivial File Transfer Protocol (TFTP)	UDP-based file transfer with no authentication; used by routers, switches, and Pre-Boot Execution Environment (PXE) boot.	"69 = tiny, two-way, trivial."	Router config exfiltration, PXE image theft, no auth boundary.
8	80 / TCP	Hypertext Transfer Protocol (HTTP)	Cleartext World Wide Web traffic.	"80 — eighty-percent of the web (cleartext)."	Every web vulnerability lives here — Cross-Site Scripting (XSS), Structured Query Language injection (SQLi), directory traversal, broken auth.
9	88 / TCP + UDP	Kerberos	Active Directory (AD) authentication: Authentication Service exchange and Ticket-Granting Service ticket issuance.	"Two K's stacked = 88 = Kerberos."	Kerberoasting (Service Principal Name — SPN — tickets), Authentication Service Response (AS-REP) roasting, Golden / Silver tickets.
10	110 / TCP	Post Office Protocol version 3 (POP3)	Email retrieval — downloads and (by default) deletes from server.	"110 — the postman delivers 110 letters."	Cleartext authentication; pivot to Post Office Protocol Secure (POP3S) on 995 if encryption mandated.
11	143 / TCP	Internet Message Access Protocol (IMAP)	Email server-side storage and folder synchronisation.	"143 = phone-pad I-LOVE-U → IMAP delivers love letters."	Cleartext authentication; secure variant on 993.
12	161 / UDP	Simple Network Management Protocol (SNMP)	Network-device monitoring and configuration via Management Information Base (MIB) queries.	"One-six-one — public is the password."	Default community strings (`public` read / `private` write), SNMPv1/v2c cleartext, full device enumeration (interfaces, routes, processes).
13	389 / TCP + UDP	Lightweight Directory Access Protocol (LDAP)	Directory queries — primary protocol for reading Active Directory user / group / computer objects.	"Three-eighty-nine — the directory door."	Anonymous binds, user enumeration, AD recon for downstream Kerberoasting.
14	443 / TCP	Hypertext Transfer Protocol Secure (HTTPS)	Encrypted World Wide Web — HTTP wrapped in Transport Layer Security (TLS) / Secure Sockets Layer (SSL).	"4-4-3 = three locks on the front door."	Certificate validation, weak cipher suites, certificate Subject Alternative Name (SAN) leakage; web vulnerabilities still apply behind the lock.
15	445 / TCP	Server Message Block (SMB)	Windows file and printer sharing, named pipes, and Microsoft Remote Procedure Call (MS-RPC) over SMB — directly over TCP, no NetBIOS layer.	"445 = five less than 450 — the SMB share door."	EternalBlue (MS17-010), null sessions, missing SMB signing, share enumeration.
16	514 / UDP	Syslog	Centralised system-log shipping — connectionless and unauthenticated by default.	"5-1-4 — phone the logs."	Spoofable log messages over UDP; tamper window during the gap to a Security Information and Event Management (SIEM) system.
17	636 / TCP	Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS)	LDAP wrapped in TLS / SSL — encrypted Active Directory queries.	"636 = the secure sandwich (6 — 3 — 6, certificate filling)."	Validates certificate chain; once authenticated, AD enumeration still possible.
18	3306 / TCP	MySQL	MySQL and MariaDB database server.	"3-3-0-6 = M-y-S-Q-L (4 chars, 4 digits, the zero is the gap)."	Weak / default credentials, unauthenticated SELECT, User-Defined Function (UDF) code execution.
19	3389 / TCP	Remote Desktop Protocol (RDP)	Microsoft graphical remote login.	"33-89 — RDP stays in the eighties."	BlueKeep (CVE-2019-0708), Network Level Authentication (NLA) bypass, brute-force, session-hijack via shadowing.
20	5900 / TCP	Virtual Network Computing (VNC)	Cross-platform graphical remote-control protocol.	"Five nines — five-nine-hundred — five eyes watching."	Weak / no authentication; legacy 8-character Data Encryption Standard (DES) password, often unencrypted on the wire.

Recall questions — Ports 1–20

Q1 · FTP-Data

In active-mode File Transfer Protocol (FTP), which port does the server use to initiate the data channel back to the client?
1. 20
2. 21
3. 22
4. 69
Answer: A — 20
Q2 · FTP Control

A banner reading 220 ProFTPD 1.3.5 is returned during a connection. Which Transmission Control Protocol (TCP) port is most likely listening?
1. 20
2. 21
3. 22
4. 23
Answer: B — 21
Q3 · SSH

Secure Shell (SSH) listens on which default port?
1. 21
2. 22
3. 23
4. 25
Answer: B — 22
Q4 · Telnet

A cleartext remote-shell protocol from the early Internet, still found on legacy network gear, listens on:
1. 22
2. 23
3. 25
4. 110
Answer: B — 23
Q5 · SMTP

Server-to-server email relay using Simple Mail Transfer Protocol (SMTP) defaults to which port?
1. 25
2. 110
3. 143
4. 465
Answer: A — 25
Q6 · DNS

Domain Name System (DNS) zone-transfer requests fall back from User Datagram Protocol (UDP) to which transport on port 53?
1. Internet Control Message Protocol (ICMP)
2. Stream Control Transmission Protocol (SCTP)
3. Transmission Control Protocol (TCP)
4. Address Resolution Protocol (ARP)
Answer: C — TCP
Q7 · TFTP

Which protocol uses User Datagram Protocol (UDP) port 69 with no authentication and is commonly used for router configuration and Pre-Boot Execution Environment (PXE) boot?
1. File Transfer Protocol (FTP)
2. Trivial File Transfer Protocol (TFTP)
3. Secure Copy (SCP)
4. Hypertext Transfer Protocol (HTTP)
Answer: B — TFTP
Q8 · HTTP

Cleartext Hypertext Transfer Protocol (HTTP) defaults to which port?
1. 53
2. 80
3. 443
4. 8080
Answer: B — 80
Q9 · Kerberos

Active Directory (AD) authentication via the Authentication Service and Ticket-Granting Service uses which port?
1. 53
2. 88
3. 389
4. 445
Answer: B — 88
Q10 · POP3

A user retrieves email by downloading messages and removing them from the server using the cleartext default port for the legacy retrieval protocol. Which port?
1. 25
2. 110
3. 143
4. 995
Answer: B — 110
Q11 · IMAP

Cleartext Internet Message Access Protocol (IMAP) listens on:
1. 110
2. 143
3. 993
4. 995
Answer: B — 143
Q12 · SNMP

Simple Network Management Protocol (SNMP) queries use which transport and port?
1. Transmission Control Protocol (TCP) 161
2. User Datagram Protocol (UDP) 161
3. UDP 162
4. TCP 162
Answer: B — UDP 161
Q13 · LDAP

Cleartext Lightweight Directory Access Protocol (LDAP) defaults to which port?
1. 88
2. 389
3. 636
4. 3268
Answer: B — 389
Q14 · HTTPS

Hypertext Transfer Protocol Secure (HTTPS) listens on which port?
1. 80
2. 443
3. 8080
4. 4443
Answer: B — 443
Q15 · SMB

On a modern Windows host, which port carries Server Message Block (SMB) directly over Transmission Control Protocol (TCP) without a NetBIOS layer?
1. 137
2. 139
3. 445
4. 3389
Answer: C — 445
Q16 · Syslog

Centralised log shipping via Syslog defaults to which port and transport?
1. Transmission Control Protocol (TCP) 514
2. User Datagram Protocol (UDP) 514
3. TCP 515
4. UDP 162
Answer: B — UDP 514
Q17 · LDAPS

Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS) listens on:
1. 389
2. 443
3. 636
4. 3269
Answer: C — 636
Q18 · MySQL

Default port for the MySQL database server is:
1. 1433
2. 1521
3. 3306
4. 5432
Answer: C — 3306
Q19 · RDP

Microsoft Remote Desktop Protocol (RDP) listens on which port?
1. 22
2. 3306
3. 3389
4. 5900
Answer: C — 3389
Q20 · VNC

Default port for Virtual Network Computing (VNC):
1. 3389
2. 5800
3. 5900
4. 6000
Answer: C — 5900

Ports 21–50 — Supporting Set

Frequent in qbank

Less drilled than the top twenty but every one appears in the question bank or the official CPSA port reference. Group them mentally by family — name services (135 / 137 / 138 / 139), secure-mail siblings (465 / 993 / 995), Virtual Private Network (VPN) cluster (500 / 1194 / 1701 / 1723), database row (1433 / 1521 / 3306 / 5432) — chunking is the cheapest mnemonic you have.

#	Port / Proto	Service	Use	Memory hook	CPSA angle
21	7 / TCP + UDP	Echo	Returns whatever data is sent to it — a debug protocol from the early Internet.	"Lucky 7 echoes back."	Amplification / Distributed Denial of Service (DDoS) reflection vector when reachable from the Internet.
22	43 / TCP	WHOIS	Domain registration lookup against a registrar database.	"Forty-three — Who is registered?"	Passive recon, registrant data, Open-Source Intelligence (OSINT) starting point.
23	49 / TCP	Terminal Access Controller Access-Control System Plus (TACACS+)	Cisco Authentication, Authorisation and Accounting (AAA) protocol that encrypts the entire payload (vs. RADIUS which only encrypts the password).	"Quarter-to-fifty — TAC-ACS, the Cisco kid."	Centralised AAA on network gear; full-payload encryption is the exam differentiator.
24	67 / UDP	Dynamic Host Configuration Protocol (DHCP) — Server	The DHCP server replies to client broadcasts on this port.	"67 / 68 — server gives, client gets."	Rogue DHCP attack, IP-pool exhaustion, gateway / DNS poisoning.
25	68 / UDP	DHCP — Client	The DHCP client receives offers and acknowledgements on this port.	"68 — client one above 67."	Pair with port 67 — the question often tests which is which.
26	70 / TCP	Gopher	Pre-Web menu protocol — almost extinct, but still a Server-Side Request Forgery (SSRF) primitive.	"70 = the old groundhog before the Web."	SSRF via `gopher://` Uniform Resource Identifier (URI) to reach internal services that only speak raw TCP.
27	79 / TCP	Finger	Legacy user-information lookup — last login time, home directory, real name.	"79 = point-the-finger."	Username enumeration on legacy Unix.
28	111 / TCP + UDP	Sun Remote Procedure Call (Sun RPC) / Portmapper	Linux / Unix RPC endpoint mapper — the directory of which RPC services are listening on which dynamic ports.	"Three flags planted = 111, all the RPC services here."	Network File System (NFS), `rpcinfo` enumeration, NIS / Network Information Service exposure.
29	119 / TCP	Network News Transfer Protocol (NNTP)	Usenet news article distribution.	"119 — old news (call 999, plus old)."	Rare in modern environments; banner grab.
30	123 / UDP	Network Time Protocol (NTP)	Clock synchronisation across hosts and infrastructure.	"123 — count one-two-three to the second."	NTP `monlist` amplification (DDoS); Kerberos breaks if clock skew >5 minutes.
31	135 / TCP	Microsoft Remote Procedure Call (MS-RPC) Endpoint Mapper / Distributed Component Object Model (DCOM)	Windows equivalent of Linux 111 — directory of MS-RPC services.	"135 = Microsoft's portmap (mirror of 111)."	Endpoint enumeration, DCOM lateral movement, Windows Management Instrumentation (WMI) over MS-RPC.
32	137 / UDP	NetBIOS Name Service (NBT-NS)	Windows name resolution before DNS — broadcast-based.	"137 — NetBIOS Names, started life on the 137th."	Link-Local Multicast Name Resolution (LLMNR) / NBT-NS poisoning via Responder; harvests Net New Technology LAN Manager (NTLM) hashes.
33	138 / UDP	NetBIOS Datagram Service	Connectionless NetBIOS messages — browse lists, mailslots.	"138 — datagram between name (137) and session (139)."	Legacy browser elections, broadcast traffic that leaks domain structure.
34	139 / TCP	NetBIOS Session Service	SMB over NetBIOS — the legacy SMB transport before SMB-direct on 445.	"139 = old SMB; 445 = new SMB."	Null sessions, share enumeration, often paired with 445 on older hosts.
35	162 / UDP	SNMP Trap	Unsolicited SNMP alerts pushed from agents to a manager.	"162 = 161 + 1 — the trap that follows the query."	Spoofed traps poison monitoring; a forgotten 162 listener is an info leak.
36	179 / TCP	Border Gateway Protocol (BGP)	The Internet's exterior routing protocol — Autonomous System (AS) to AS path advertisement.	"One-seven-nine — the AS handshake."	Route hijack, weak Message Digest 5 (MD5) authentication, prefix leaks.
37	465 / TCP	Simple Mail Transfer Protocol Secure (SMTPS)	SMTP wrapped in implicit TLS / SSL.	"4-6-5 — locked mail-room."	Modern mail submission alternative is 587 with STARTTLS; 465 was deprecated then re-instated.
38	500 / UDP	Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE)	Phase-1 negotiation for Internet Protocol Security (IPsec) Virtual Private Networks (VPNs).	"500 = the front door of the IPsec tunnel."	Aggressive-mode Pre-Shared Key (PSK) capture and offline crack, IKE version detection.
39	554 / TCP + UDP	Real Time Streaming Protocol (RTSP)	Control protocol for streaming video and audio (Internet Protocol — IP — cameras, media servers).	"554 = streaming live."	Default credentials on IP cameras, exposed Closed-Circuit Television (CCTV) feeds.
40	993 / TCP	Internet Message Access Protocol Secure (IMAPS)	IMAP wrapped in TLS / SSL.	"993 = 143 + locked envelope."	Pair with 143 — when 143 is open and 993 is not, mail auth is in the clear.
41	995 / TCP	Post Office Protocol version 3 Secure (POP3S)	POP3 wrapped in TLS / SSL.	"995 = 110 with armour."	Pair with 110 — same logic as 993 / 143.
42	1194 / UDP	OpenVPN	Open-source VPN over UDP (default) or TCP.	"1194 — eleven-ninety-four, OpenVPN's signature."	Static-key vs. TLS modes; weak PSK or exposed Certificate Authority (CA).
43	1433 / TCP	Microsoft Structured Query Language Server (MS-SQL)	Microsoft SQL Server database engine.	"1433 — fourteen-thirty-three, MS-SQL's badge."	`xp_cmdshell` command execution, weak `sa` credentials, SQL injection (SQLi) via linked apps.
44	1521 / TCP	Oracle Database Listener	Oracle Database listener / Transparent Network Substrate (TNS).	"15-21 — Oracle's TNS porthole."	TNS poisoning, default Service Identifier (SID) enumeration, Oracle Listener attacks.
45	1701 / UDP	Layer 2 Tunneling Protocol (L2TP)	VPN tunnelling protocol — almost always paired with IPsec for confidentiality.	"17-01 — L2TP, the tunnel without locks (uses IPsec for those)."	L2TP alone has no encryption; check for L2TP-without-IPsec misconfigurations.
46	1723 / TCP	Point-to-Point Tunneling Protocol (PPTP)	Legacy Microsoft VPN — MS-CHAPv2 authentication.	"1723 — PPTP, deprecated and broken."	MS-CHAPv2 weakness, offline crack via `chapcrack` / `cloudcracker`; treat as red flag.
47	1812 / UDP	Remote Authentication Dial-In User Service (RADIUS) Authentication	AAA for network access — Wi-Fi 802.1X, VPN, switches.	"1812 — RADIUS auth (1813 = accounting)."	Only the password attribute is encrypted; rest of payload in the clear; compare with TACACS+ (port 49).
48	2049 / TCP + UDP	Network File System (NFS)	Unix remote file-system mounting.	"20-49 — NFS, the Unix share."	`showmount -e` exposure, no_root_squash exports, weak host-based authentication.
49	5432 / TCP	PostgreSQL	PostgreSQL database server.	"5432 — count down P-G-S-Q-L."	Default `postgres` credentials, `COPY ... FROM PROGRAM` code execution.
50	8080 / TCP	Hypertext Transfer Protocol (HTTP) — Alternate	Common alternate web port — proxies, application servers (Apache Tomcat, Jenkins).	"8080 = 80 doubled, the developer port."	Forgotten admin consoles, unauthenticated Jenkins, Tomcat manager default creds.

Recall questions — Ports 21–50

Q21 · Echo
Which port returns whatever data is sent to it and is a known reflection / amplification vector?
1. 7
2. 9
3. 13
4. 19
Answer: A — 7
Q22 · WHOIS
Querying domain registration data from a registrar uses which Transmission Control Protocol (TCP) port?
1. 43
2. 53
3. 80
4. 110
Answer: A — 43
Q23 · TACACS+
Which Authentication, Authorisation and Accounting (AAA) protocol encrypts the entire payload, not just the password, and uses port 49?
1. Remote Authentication Dial-In User Service (RADIUS)
2. Terminal Access Controller Access-Control System Plus (TACACS+)
3. Diameter
4. Kerberos
Answer: B — TACACS+
Q24 · DHCP Server
A Dynamic Host Configuration Protocol (DHCP) server listens for client requests on which port?
1. 67
2. 68
3. 53
4. 547
Answer: A — 67
Q25 · DHCP Client
A DHCP client receives offers and acknowledgements on which port?
1. 67
2. 68
3. 137
4. 547
Answer: B — 68
Q26 · Gopher
Which legacy menu protocol — port 70 — is still abused via Server-Side Request Forgery (SSRF) to reach internal Transmission Control Protocol (TCP) services?
1. Hypertext Transfer Protocol (HTTP)
2. Gopher
3. File Transfer Protocol (FTP)
4. Network News Transfer Protocol (NNTP)
Answer: B — Gopher
Q27 · Finger
Which legacy protocol leaks last login time and home directory of users on Unix systems?
1. Finger (port 79)
2. NetBIOS Name Service (port 137)
3. Identification Protocol (port 113)
4. Quote-of-the-Day (port 17)
Answer: A — Finger / 79
Q28 · SunRPC
On Linux, the Remote Procedure Call (RPC) endpoint mapper queried by rpcinfo listens on which port?
1. 111
2. 135
3. 139
4. 2049
Answer: A — 111
Q29 · NNTP
Network News Transfer Protocol (NNTP) — Usenet — defaults to which port?
1. 25
2. 119
3. 563
4. 110
Answer: B — 119
Q30 · NTP
Network Time Protocol (NTP) clock synchronisation uses which port?
1. 53
2. 123
3. 161
4. 514
Answer: B — 123
Q31 · MS-RPC
The Microsoft Distributed Component Object Model (DCOM) endpoint mapper listens on which port?
1. 111
2. 135
3. 137
4. 445
Answer: B — 135
Q32 · NetBIOS-NS
Responder poisons which User Datagram Protocol (UDP) port to harvest Net New Technology LAN Manager (NTLM) hashes via NetBIOS Name Service (NBT-NS) spoofing?
1. 137
2. 138
3. 139
4. 445
Answer: A — 137
Q33 · NetBIOS-DGM
NetBIOS Datagram Service uses which port?
1. 137
2. 138
3. 139
4. 445
Answer: B — 138
Q34 · NetBIOS-SSN
NetBIOS Session Service — legacy Server Message Block (SMB) before SMB-direct — listens on:
1. 137
2. 138
3. 139
4. 445
Answer: C — 139
Q35 · SNMP Trap
Unsolicited Simple Network Management Protocol (SNMP) trap notifications are received on which port?
1. 161
2. 162
3. 514
4. 520
Answer: B — 162
Q36 · BGP
Border Gateway Protocol (BGP) — exterior Internet routing — uses which Transmission Control Protocol (TCP) port?
1. 53
2. 179
3. 520
4. 8080
Answer: B — 179
Q37 · SMTPS
Implicit-Transport Layer Security (TLS) Simple Mail Transfer Protocol Secure (SMTPS) defaults to which port?
1. 25
2. 465
3. 587
4. 993
Answer: B — 465
Q38 · ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) for Internet Protocol Security (IPsec) Virtual Private Networks (VPNs) uses which port?
1. 443
2. 500
3. 1194
4. 1701
Answer: B — 500
Q39 · RTSP
Real Time Streaming Protocol (RTSP) — used by Internet Protocol (IP) cameras and Closed-Circuit Television (CCTV) systems — uses which port?
1. 554
2. 1723
3. 5060
4. 8080
Answer: A — 554
Q40 · IMAPS
Internet Message Access Protocol Secure (IMAPS) uses which port?
1. 143
2. 465
3. 993
4. 995
Answer: C — 993
Q41 · POP3S
Post Office Protocol version 3 Secure (POP3S) uses which port?
1. 110
2. 465
3. 993
4. 995
Answer: D — 995
Q42 · OpenVPN
OpenVPN defaults to User Datagram Protocol (UDP) on which port?
1. 500
2. 1194
3. 1701
4. 1723
Answer: B — 1194
Q43 · MS-SQL
Microsoft Structured Query Language (SQL) Server listens on which Transmission Control Protocol (TCP) port?
1. 1433
2. 1521
3. 3306
4. 5432
Answer: A — 1433
Q44 · Oracle
Oracle Database Listener / Transparent Network Substrate (TNS) listens on which port?
1. 1433
2. 1521
3. 3306
4. 5432
Answer: B — 1521
Q45 · L2TP
Layer 2 Tunneling Protocol (L2TP) — usually wrapped in Internet Protocol Security (IPsec) — uses which port?
1. 500
2. 1194
3. 1701
4. 1723
Answer: C — 1701
Q46 · PPTP
Point-to-Point Tunneling Protocol (PPTP), now deprecated for its broken Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2), uses which port?
1. 500
2. 1194
3. 1701
4. 1723
Answer: D — 1723
Q47 · RADIUS
Remote Authentication Dial-In User Service (RADIUS) authentication uses which port?
1. 49
2. 1812
3. 1813
4. 514
Answer: B — 1812
Q48 · NFS
Network File System (NFS) — Unix-style remote file mounting — uses which port?
1. 111
2. 445
3. 2049
4. 3306
Answer: C — 2049
Q49 · PostgreSQL
PostgreSQL database server listens on which Transmission Control Protocol (TCP) port?
1. 1433
2. 1521
3. 3306
4. 5432
Answer: D — 5432
Q50 · HTTP-Alt
Apache Tomcat, Jenkins, and many web proxies default to which alternate Hypertext Transfer Protocol (HTTP) port?
1. 80
2. 443
3. 8080
4. 8443
Answer: C — 8080

Linux / Unix Commands

CPSA Domain F

Every Linux / Unix command and tested invocation drawn from the 135-question Unix Assessment domain of the CPSA question bank. Eight functional groups plus a closing files-of-interest set. Tight rows on purpose — the question after each table is the active-recall layer.

Group 1 — Viewing & searching files

#	Command	Use	Tested invocation	Memory hook
L1	ls	List directory contents and metadata.	`ls -la` · `ls -Z` (Security Enhanced Linux — SELinux — context)	"l-s = LiSt."
L2	cat	Concatenate and print files to standard output.	`cat /etc/passwd`	"cat = catalogue, type it out."
L3	head	Print the first lines of a file (default 10).	`head -n 20 file`	"Head = top of the page."
L4	tail	Print the last lines or follow a growing file.	`tail -f /var/log/auth.log`	"Tail = bottom; -f follows like a dog."
L5	less	Interactive file pager — page up / down, search.	`less /var/log/syslog`	"Less is more, with brakes."
L6	find	Walk the file-system and match files by criteria.	`find / -perm -4000 -type f 2>/dev/null` (Set User ID — SUID — hunt) · `find / -mmin -60`	"Find anything anywhere — slow but exhaustive."
L7	locate	Database-backed filename search — depends on a nightly `updatedb`.	`locate sshd_config`	"Locate = fast lookup, possibly stale."
L8	which	Show the full path of the binary that would run.	`which python3`	"Which one runs?"
L9	whereis	Show binary, source, and manual page locations.	`whereis nmap`	"Where is the whole kit?"
L10	stat	Display detailed file metadata — access / modify / change timestamps, inode, link count, mode.	`stat /etc/shadow`	"Stat = full statistics on a file."

L1 · ls
Which Linux command lists files including hidden entries with full permissions, owner, and size?
1. ls
2. ls -la
3. cat
4. find
Answer: B — ls -la
L2 · cat
Which command CONCATENATES files and prints them to standard output?
1. cat
2. head
3. more
4. ls
Answer: A — cat
L3 · head
Which command prints the first 20 lines of a file?
1. head -n 20 file
2. tail -n 20 file
3. less file
4. wc -l file
Answer: A — head -n 20 file
L4 · tail
To follow new lines as they are written to a log file in real time, use:
1. tail -f
2. cat -f
3. head -f
4. watch tail
Answer: A — tail -f
L5 · less
Which command opens a file in an interactive scrolling pager that supports search?
1. less
2. cat
3. head
4. find
Answer: A — less
L6 · find
Which command finds all files with the Set User ID (SUID) bit set under root, suppressing permission errors?
1. find / -perm -4000 -type f 2>/dev/null
2. locate suid
3. ls -la /
4. which suid
Answer: A — find / -perm -4000 -type f 2>/dev/null
L7 · locate
Which command queries a pre-built database for files by name?
1. find
2. locate
3. which
4. whereis
Answer: B — locate
L8 · which
Which command shows the full path of the executable that would run if you typed its name?
1. which
2. whereis
3. find
4. locate
Answer: A — which
L9 · whereis
Which command returns the binary, source code, AND manual page locations for a program?
1. which
2. whereis
3. find
4. locate
Answer: B — whereis
L10 · stat
Which command displays detailed metadata of a file — access, modify, and change timestamps plus inode and link count?
1. ls -la
2. stat
3. file
4. find
Answer: B — stat

Group 2 — Permissions, users & identity

#	Command	Use	Tested invocation	Memory hook
L11	chmod	Change file mode (permission) bits.	`chmod 755 file` · `chmod +s file` (set Set User ID / Set Group ID — SUID / SGID)	"ch-MODE."
L12	chown	Change owner (and optionally group) of a file.	`chown user:group file`	"ch-OWN — change OWNer."
L13	chgrp	Change group ownership only.	`chgrp staff file`	"ch-GRP — group only."
L14	sudo	Run a command as another user (default root) with logging.	`sudo -l` (list allowed) · `sudo su` (escalate)	"SuperUser DO."
L15	su	Switch user — drop into another account's shell.	`su -` (login shell)	"Switch User."
L16	passwd	Change a password.	`passwd` (self) · `passwd jdoe` (root only)	"PASSWD = change pwd."
L17	useradd	Create a local user account.	`useradd -m jdoe` (with home directory)	"User-ADD."
L18	id	Print effective User ID (UID), Group ID (GID), and group memberships.	`id` · `id jdoe`	"ID = identification badge."
L19	whoami	Print effective username only.	`whoami`	"Literally 'who am I?'"
L20	w	Show logged-in users with their terminal, login time, idle time, and load averages.	`w`	"w = who-and-what's-running."

L11 · chmod
Which command sets the Set User ID (SUID) bit on an executable?
1. chmod +s file
2. chown root file
3. chgrp root file
4. chmod 644 file
Answer: A — chmod +s file
L12 · chown
Which command changes both owner and group of a file in one invocation?
1. chmod user:group file
2. chown user:group file
3. chgrp user:group file
4. setfacl -m u:user file
Answer: B — chown user:group file
L13 · chgrp
Which command changes ONLY the group ownership of a file?
1. chmod
2. chown
3. chgrp
4. setgid
Answer: C — chgrp
L14 · sudo
Which command lists the privileges the current user is allowed to invoke via the sudoers policy?
1. sudo -l
2. sudo -v
3. id
4. cat /etc/sudoers
Answer: A — sudo -l
L15 · su
Which command launches a full login shell as the target user, loading their environment?
1. su -
2. sudo
3. login
4. chsh
Answer: A — su -
L16 · passwd
Which command changes the password of the user jdoe (root only)?
1. passwd jdoe
2. chpwd jdoe
3. useradd -p jdoe
4. su jdoe
Answer: A — passwd jdoe
L17 · useradd
Which command creates a new user account AND a home directory?
1. useradd -m jdoe
2. adduser -h jdoe
3. mkuser jdoe
4. usermod -m jdoe
Answer: A — useradd -m jdoe
L18 · id
Which command prints the current user's User ID (UID), Group ID (GID), and supplementary group memberships?
1. whoami
2. w
3. id
4. groups
Answer: C — id
L19 · whoami
Which command prints ONLY the effective username and nothing else?
1. id
2. whoami
3. w
4. logname
Answer: B — whoami
L20 · w
Which command shows logged-in users alongside their idle time, terminal, and current load averages?
1. w
2. last
3. who
4. users
Answer: A — w

Group 3 — Processes & priority

#	Command	Use	Tested invocation	Memory hook
L21	ps	Snapshot of running processes.	`ps aux` (Berkeley Software Distribution — BSD — syntax: All users, eXtended, no controlling Terminal — TTY)	"ps = Process Snapshot."
L22	top	Real-time interactive process and resource monitor.	`top`	"Top = busiest at the top."
L23	kill	Send a signal to a Process Identifier (PID).	`kill -9 PID` (SIGKILL — unblockable)	"Kill the PID; -9 = the nuke."
L24	killall	Send a signal to every process matching a name.	`killall firefox`	"Kill ALL by name."
L25	pkill	Pattern-match kill (regular expressions, by user, by terminal).	`pkill -KILL -u jdoe` (force-kill all of jdoe's processes)	"P-kill = pattern kill."
L26	nice	Start a command with a Central Processing Unit (CPU) niceness value (lower priority).	`nice -n 10 cmd`	"Nice = polite, low priority."
L27	renice	Change the niceness of a running process.	`renice 5 -p PID`	"RE-nice = update later."
L28	ionice	Set Input / Output (I/O) scheduling priority.	`ionice -c 3 cmd` (idle class)	"I-O nice for disk politeness."
L29	free	Display Random-Access Memory (RAM) and swap usage.	`free -h` (human-readable) · `free -m` (megabytes)	"Free memory snapshot."
L30	vmstat	Virtual Memory and system performance statistics over time.	`vmstat 1` (one-second interval) · `vmstat -s`	"VM-stat = Virtual Memory stats."

L21 · ps
Which Berkeley Software Distribution (BSD) syntax invocation of ps shows ALL processes from ALL users including those without a controlling terminal?
1. ps -ef
2. ps aux
3. ps -A
4. ps
Answer: B — ps aux
L22 · top
Which interactive command shows the busiest processes by Central Processing Unit (CPU) at the top of a live, refreshing screen?
1. htop
2. ps aux
3. top
4. vmstat 1
Answer: C — top
L23 · kill
Which signal number sent by kill is the unblockable, forceful termination (SIGKILL)?
1. 1
2. 9
3. 15
4. 19
Answer: B — 9
L24 · killall
Which command kills EVERY process whose name matches the supplied string?
1. kill
2. killall
3. pkill
4. xkill
Answer: B — killall
L25 · pkill
Which command terminates all of user jdoe's processes with SIGKILL?
1. killall -9 jdoe
2. pkill -KILL -u jdoe
3. kill -9 jdoe
4. userdel jdoe
Answer: B — pkill -KILL -u jdoe
L26 · nice
Which command starts a new process at lower-than-default Central Processing Unit (CPU) priority?
1. nice -n 10 cmd
2. renice 10 cmd
3. ionice -c 3 cmd
4. nohup cmd
Answer: A — nice -n 10 cmd
L27 · renice
Which command changes the niceness of an ALREADY running process?
1. nice
2. renice
3. ionice
4. chrt
Answer: B — renice
L28 · ionice
Which command sets the disk Input / Output (I/O) priority of a process to the idle class?
1. nice -c 3
2. ionice -c 3 cmd
3. renice -i
4. iostat -c 3
Answer: B — ionice -c 3 cmd
L29 · free
Which command displays Random-Access Memory (RAM) and swap usage in human-readable units?
1. free -h
2. top -h
3. vmstat -h
4. df -h
Answer: A — free -h
L30 · vmstat
Which command samples Virtual Memory and system performance statistics every one second?
1. top
2. vmstat 1
3. iostat 1
4. mpstat 1
Answer: B — vmstat 1

Group 4 — Hardware & kernel

#	Command	Use	Tested invocation	Memory hook
L31	uname	Print kernel name, version, hostname, architecture.	`uname -a` (all) · `uname -r` (kernel release)	"UN(ix)-NAME identification."
L32	uptime	Time since boot plus 1, 5, 15-minute load averages.	`uptime`	"Up-time + load averages."
L33	hostname	Display or set the system hostname (non-persistent unless saved).	`hostname` · `hostname new-host`	"Just the hostname."
L34	hostnamectl	Persistently set hostname via systemd.	`hostnamectl set-hostname web01`	"Hostname-ConTroL — systemd persistence."
L35	lsblk	List block devices (disks, partitions, mountpoints).	`lsblk`	"LS-BLocK."
L36	lshw	Detailed Hardware (HW) inventory.	`lshw` · `lshw -short`	"LS-HardWare."
L37	lsmod	List kernel modules currently loaded.	`lsmod`	"LS-MODules."
L38	lspci	Devices on the Peripheral Component Interconnect (PCI) bus.	`lspci` · `lspci -v`	"LS-PCI bus."
L39	lsusb	List Universal Serial Bus (USB) devices attached.	`lsusb`	"LS-USB."
L40	sensors	Display motherboard / Central Processing Unit (CPU) temperature, fan, voltage readings.	`sensors`	"Sensors = thermal/voltage."

L31 · uname
Which command prints all kernel information — name, hostname, release, architecture — in one line?
1. uname -a
2. uname -r
3. cat /proc/version
4. hostnamectl
Answer: A — uname -a
L32 · uptime
Which command shows time since boot plus 1, 5, and 15-minute load averages?
1. w
2. top
3. uptime
4. last reboot
Answer: C — uptime
L33 · hostname
Which command displays the system's current hostname without changing it persistently?
1. hostname
2. hostnamectl set-hostname
3. uname -n (also valid)
4. Both A and C
Answer: D — hostname and uname -n both display it; A is the conventional answer.
L34 · hostnamectl
Which command PERSISTENTLY sets the system hostname under systemd?
1. hostname web01
2. hostnamectl set-hostname web01
3. echo web01 > /etc/hostname
4. uname -n web01
Answer: B — hostnamectl set-hostname web01
L35 · lsblk
Which command lists block devices — disks, partitions, and their mount points — in a tree?
1. lsblk
2. fdisk -l
3. df -T
4. blkid
Answer: A — lsblk
L36 · lshw
Which command produces a detailed Hardware (HW) inventory of the host?
1. lspci
2. lsusb
3. lshw
4. dmidecode
Answer: C — lshw
L37 · lsmod
Which command lists kernel modules currently loaded into the running kernel?
1. lsmod
2. modprobe -l
3. lspci
4. dmesg
Answer: A — lsmod
L38 · lspci
Which command lists devices attached to the Peripheral Component Interconnect (PCI) bus?
1. lsusb
2. lspci
3. lsblk
4. lshw
Answer: B — lspci
L39 · lsusb
Which command lists Universal Serial Bus (USB) devices attached to the host?
1. lspci
2. lsusb
3. lsblk
4. lshw -class usb
Answer: B — lsusb
L40 · sensors
Which command displays motherboard and Central Processing Unit (CPU) temperature, fan-speed, and voltage readings (where supported)?
1. uptime
2. sensors
3. vmstat
4. iostat
Answer: B — sensors

Group 5 — Disks, filesystems & archives

#	Command	Use	Tested invocation	Memory hook
L41	df	Disk Free — usage per mounted filesystem.	`df -h` (human) · `df -T` (with type)	"Disk Free."
L42	du	Disk Usage — directory size summation.	`du -sh dir` (summary, human) · `du -h`	"Disk Usage."
L43	mount	Attach a filesystem; with no arguments, list current mounts.	`mount` (list) · `mount /dev/sdb1 /mnt`	"Mount it."
L44	umount	Detach a filesystem (note: ONE 'n').	`umount /mnt`	"U-MOUNT — one 'n', not 'unmount'."
L45	mkfs.ext4	Create (format) an ext4 filesystem.	`mkfs.ext4 /dev/sdb1`	"MaKe-FileSystem."
L46	fsck.ext4	FileSystem ChecK — verify and repair ext4.	`fsck.ext4 /dev/sdb1`	"FS-ChecK."
L47	mkdir	Create a directory; `-p` creates parents.	`mkdir -p path/to/dir`	"MaKe-DIRectory."
L48	tar	Tape ARchive — bundle files; combine with gzip / bzip2.	`tar -xzvf file.tar.gz` (extract) · `tar -czvf out.tar.gz dir` (create)	"x-tract or c-reate; z = gzip, v = verbose, f = file."
L49	gzip	Compress a single file using DEFLATE.	`gzip file` → `file.gz`	"GNU ZIP."
L50	gunzip / zcat	Decompress (`gunzip`) or read directly (`zcat`) without decompressing to disk.	`gunzip file.gz` · `zcat file.gz \| grep error`	"gun-ZIP undoes; z-cat reads in place."

L41 · df
Which command shows disk usage per mounted filesystem in human-readable units?
1. du -h
2. df -h
3. lsblk -h
4. free -h
Answer: B — df -h
L42 · du
Which command summarises the total size of a directory in human-readable units?
1. df -sh dir
2. du -sh dir
3. ls -sh dir
4. find dir -size
Answer: B — du -sh dir
L43 · mount
With NO arguments, what does mount do?
1. Errors out
2. Mounts all entries in /etc/fstab
3. Lists currently mounted filesystems
4. Displays the boot-time mount log
Answer: C — Lists currently mounted filesystems
L44 · umount
Which command detaches a mounted filesystem from /mnt?
1. unmount /mnt
2. umount /mnt
3. mount -u /mnt
4. detach /mnt
Answer: B — umount /mnt
L45 · mkfs.ext4
Which command formats /dev/sdb1 as an ext4 filesystem?
1. format /dev/sdb1
2. fsck.ext4 /dev/sdb1
3. mkfs.ext4 /dev/sdb1
4. mkdir /dev/sdb1
Answer: C — mkfs.ext4 /dev/sdb1
L46 · fsck.ext4
Which command checks and repairs an ext4 filesystem?
1. mkfs.ext4
2. fsck.ext4
3. e2fsck -m
4. chkdsk
Answer: B — fsck.ext4
L47 · mkdir
Which option to mkdir creates parent directories as needed?
1. -r
2. -p
3. -m
4. -a
Answer: B — -p
L48 · tar
Which invocation EXTRACTS a gzipped tape archive verbosely?
1. tar -czvf file.tar.gz
2. tar -xzvf file.tar.gz
3. tar -tvf file.tar.gz
4. tar -rvf file.tar.gz
Answer: B — tar -xzvf file.tar.gz
L49 · gzip
Which compression utility produces a .gz file using the DEFLATE algorithm?
1. bzip2
2. xz
3. gzip
4. compress
Answer: C — gzip
L50 · zcat
Which command reads a gzipped file's contents to standard output WITHOUT writing the decompressed file to disk?
1. gunzip
2. cat
3. zcat
4. tar -xz
Answer: C — zcat

Group 6 — Networking

#	Command	Use	Tested invocation	Memory hook
L51	ifconfig	Display / configure network interfaces (legacy, replaced by `ip`).	`ifconfig` · `ifconfig -a` (include inactive)	"InterFace-config."
L52	ip	Modern interface, address, route, and tunnel manager.	`ip a` (addresses) · `ip route show` (routing)	"`ip` = the new everything."
L53	route	Display / manipulate the kernel routing table (legacy).	`route -n` (numeric)	"Route table, no name lookups with `-n`."
L54	arp	Display / modify Address Resolution Protocol (ARP) cache.	`arp -a` · `arp -n`	"ARP cache."
L55	netstat	Network connections and listening sockets (legacy).	`netstat -tulpn` (TCP / UDP listening with PID, numeric)	"NETwork STATistics."
L56	ss	Socket Statistics — modern replacement for `netstat`.	`ss -tulnp` · `ss -lnt`	"SS = Socket Statistics."
L57	lsof	LiSt Open Files — including network sockets and process mappings.	`lsof -i` (network) · `lsof -p PID`	"LiSt-Open-Files (sockets count)."
L58	rpcinfo	Enumerate Remote Procedure Call (RPC) services on a host's portmapper (port 111).	`rpcinfo -p target`	"RPC info."
L59	nethogs	Show network bandwidth use per process in real time.	`nethogs`	"Which process is HOGGING the network?"
L60	dig	Domain Information Groper — query Domain Name System (DNS) servers.	`dig @8.8.8.8 example.com ANY` · `dig axfr @ns1 example.com`	"DIG = Domain Information Groper."

L51 · ifconfig
Which legacy command displays all configured network interfaces, including inactive ones?
1. ifconfig -a
2. ip a
3. route -n
4. netstat -i
Answer: A — ifconfig -a
L52 · ip
Which MODERN command displays the kernel routing table?
1. route -n
2. ifconfig
3. ip route show
4. netstat -r
Answer: C — ip route show
L53 · route
Which legacy command displays the routing table without resolving names?
1. route -n
2. route -a
3. ip n
4. arp -n
Answer: A — route -n
L54 · arp
Which command displays the local Address Resolution Protocol (ARP) cache?
1. arp -a
2. ip route
3. ifconfig
4. netstat -an
Answer: A — arp -a
L55 · netstat
Which netstat invocation shows all listening Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets with their owning Process Identifiers (PIDs), in numeric form?
1. netstat -an
2. netstat -tulpn
3. netstat -r
4. netstat -i
Answer: B — netstat -tulpn
L56 · ss
Which modern command replaces netstat for socket statistics?
1. lsof
2. ss
3. tcpdump
4. iproute
Answer: B — ss
L57 · lsof
Which command lists every open network connection with the process that owns it?
1. lsof -i
2. ps -ef
3. ls /proc
4. fuser
Answer: A — lsof -i
L58 · rpcinfo
Which command enumerates Remote Procedure Call (RPC) services registered with a host's portmapper?
1. rpcclient
2. rpcinfo -p target
3. nmap --script rpc-grind
4. showmount -e
Answer: B — rpcinfo -p target
L59 · nethogs
Which command identifies which PROCESS is consuming the most network bandwidth in real time?
1. iftop
2. nethogs
3. tcpdump
4. top
Answer: B — nethogs
L60 · dig
Which command attempts a Domain Name System (DNS) zone transfer (Asynchronous Full Transfer Zone — AXFR) against a name server?
1. dig axfr @ns1 example.com
2. nslookup -type=axfr example.com
3. host -t any example.com
4. whois example.com
Answer: A — dig axfr @ns1 example.com

Group 7 — Logs, audit & monitoring

#	Command	Use	Tested invocation	Memory hook
L61	last	Display recent SUCCESSFUL logins from `/var/log/wtmp`.	`last` · `last -F`	"LAST few logins."
L62	lastb	Display FAILED logins from `/var/log/btmp`.	`lastb`	"LAST-Bad."
L63	dmesg	Print the kernel ring buffer — boot and hardware events.	`dmesg` · `dmesg -T` (timestamps)	"Display kernel MESsaGes."
L64	journalctl	Query the systemd journal — unified log store.	`journalctl -f` (follow) · `journalctl -u sshd` (per-unit)	"JOURNAL-ConTroL — systemd's logbook."
L65	iostat	Disk Input / Output (I/O) and Central Processing Unit (CPU) utilisation statistics.	`iostat` · `iostat -x`	"I-O STATistics."
L66	mpstat	Per-Central Processing Unit (CPU) statistics.	`mpstat -P ALL`	"Multi-Processor STATistics."
L67	nproc	Print the number of available Central Processing Unit (CPU) cores / threads.	`nproc`	"Number of PROCessors."
L68	inotifywait	Block until a filesystem event occurs (Linux Kernel notify subsystem).	`inotifywait -m /etc/passwd`	"INOTIFY-WAIT for changes."
L69	timedatectl	Query / set system time and timezone via systemd.	`timedatectl` · `timedatectl set-timezone Europe/London`	"TIME-DATE-ConTroL."
L70	tzselect	Interactively pick a timezone identifier.	`tzselect`	"TimeZone-SELECT."

L61 · last
Which command lists recent SUCCESSFUL user logins?
1. last
2. lastb
3. w
4. who
Answer: A — last
L62 · lastb
Which command lists FAILED login attempts from /var/log/btmp?
1. last
2. lastb
3. last -f
4. journalctl -u sshd
Answer: B — lastb
L63 · dmesg
Which command prints the kernel ring buffer — boot and hardware events?
1. dmesg
2. journalctl -k
3. Both A and B
4. uname -a
Answer: C — both dmesg and journalctl -k read kernel messages; dmesg is the conventional answer.
L64 · journalctl
Which command follows the systemd journal entries for the sshd unit in real time?
1. tail -f /var/log/sshd
2. journalctl -fu sshd
3. systemctl status sshd
4. dmesg -f
Answer: B — journalctl -fu sshd
L65 · iostat
Which command reports disk Input / Output (I/O) and Central Processing Unit (CPU) utilisation statistics together?
1. vmstat
2. iostat
3. mpstat
4. top
Answer: B — iostat
L66 · mpstat
Which command reports statistics PER Central Processing Unit (CPU) core?
1. mpstat -P ALL
2. iostat -c
3. top -1
4. vmstat 1
Answer: A — mpstat -P ALL
L67 · nproc
Which command prints just the number of available Central Processing Unit (CPU) cores?
1. nproc
2. lscpu
3. cat /proc/cpuinfo
4. uname -p
Answer: A — nproc
L68 · inotifywait
Which command blocks until a file or directory is modified, accessed, or moved?
1. watch
2. inotifywait
3. auditctl
4. strace
Answer: B — inotifywait
L69 · timedatectl
Which command queries and sets the system clock and timezone via systemd?
1. date
2. hwclock
3. timedatectl
4. ntpdate
Answer: C — timedatectl
L70 · tzselect
Which command interactively walks the user through choosing a timezone identifier?
1. tzselect
2. tz
3. timedatectl set-timezone
4. tzdata
Answer: A — tzselect

Group 8 — Services, scheduling & security

#	Command	Use	Tested invocation	Memory hook
L71	systemctl	Manage systemd units (services, sockets, timers).	`systemctl status sshd` · `systemctl --failed` · `systemctl list-unit-files`	"SYSTEM-ConTroL — systemd's master."
L72	service	Legacy SysV-init wrapper (still works on systemd).	`service ssh start` · `service --status-all`	"Service — old way."
L73	cron	Daemon that runs scheduled jobs at fixed times.	(daemon, configured via crontabs)	"Cron = chrono = time."
L74	crontab	Edit / list a user's cron schedule.	`crontab -e` (edit) · `crontab -l` (list) · `crontab -u user -l`	"Cron-TABle."
L75	modprobe	Load / unload kernel modules with dependency resolution.	`modprobe module` · `modprobe -r module` (unload)	"MODule-PROBE."
L76	getenforce	Show current Security Enhanced Linux (SELinux) mode.	`getenforce` (Enforcing / Permissive / Disabled)	"GET-ENFORCEment."
L77	getsebool	Display Security Enhanced Linux (SELinux) boolean toggles.	`getsebool -a`	"GET SELinux BOOLeans."
L78	iptables	Legacy in-kernel packet filter (Netfilter front end).	`iptables -L -n -v` · `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`	"IP TABLES — packet chains."
L79	nft	nftables — modern Netfilter front end replacing iptables.	`nft list ruleset`	"`nft` = next-gen iptables."
L80	pwd	Print the current working directory.	`pwd`	"Print Working Directory."

L71 · systemctl
Which command lists ALL failed systemd units?
1. systemctl --failed
2. systemctl status
3. service --status-all
4. journalctl -p err
Answer: A — systemctl --failed
L72 · service
Which legacy command shows the status of every System V (SysV) init service in one table?
1. systemctl status
2. service --status-all
3. chkconfig --list
4. initctl list
Answer: B — service --status-all
L73 · cron
Which daemon runs scheduled jobs at fixed times specified in user crontabs?
1. at
2. cron
3. systemd-timer
4. anacron
Answer: B — cron
L74 · crontab
Which command opens the current user's cron schedule for editing?
1. cron -e
2. crontab -e
3. crond -e
4. edit /etc/crontab
Answer: B — crontab -e
L75 · modprobe
Which command UNLOADS a kernel module by name, resolving dependencies?
1. rmmod module
2. modprobe -r module
3. insmod -r module
4. lsmod -d module
Answer: B — modprobe -r module
L76 · getenforce
Which command reports whether Security Enhanced Linux (SELinux) is in Enforcing, Permissive, or Disabled mode?
1. getenforce
2. sestatus -e
3. setenforce
4. aa-status
Answer: A — getenforce
L77 · getsebool
Which command lists ALL Security Enhanced Linux (SELinux) boolean toggles and their current values?
1. setsebool -a
2. getsebool -a
3. sestatus
4. seinfo -b
Answer: B — getsebool -a
L78 · iptables
Which command lists the legacy iptables firewall ruleset numerically with packet / byte counters?
1. iptables -L -n -v
2. iptables -S
3. nft list ruleset
4. ufw status verbose
Answer: A — iptables -L -n -v
L79 · nft
Which command lists the entire active nftables ruleset in a single block?
1. nft -L
2. nft list ruleset
3. iptables -nL
4. nftables-status
Answer: B — nft list ruleset
L80 · pwd
Which command prints the absolute path of the current working directory?
1. cd
2. pwd
3. ls -d
4. echo $HOME
Answer: B — pwd

Group 9 — Critical files & paths

#	Path	Use	Notes	Memory hook
L81	`/etc/passwd`	Local user account database — username, User ID (UID), Group ID (GID), home directory, login shell.	World-readable. No password material — that lives in `/etc/shadow`.	"PASSwd = WHO, not WHAT."
L82	`/etc/shadow`	Hashed user passwords (and aging metadata).	Root-readable only. The crackable file in any Linux engagement.	"Shadow = the hashes."
L83	`/etc/sudoers`	Defines which users may run which commands as which other users.	Edit ONLY via `visudo` — syntax errors lock everyone out.	"Sudoers = the priv-list."
L84	`/etc/fstab`	FileSystem TABle — mounts applied at boot.	Misconfigurations can render the system unbootable.	"f-stab = filesystem table at boot."
L85	`/var/log/auth.log`	Authentication events — Secure Shell (SSH), `sudo`, login failures (Debian / Ubuntu).	Equivalent on Red Hat: `/var/log/secure`.	"AUTH log = who tried what."
L86	`/var/log/syslog`	General-purpose system log — kernel and daemon messages (Debian / Ubuntu).	Equivalent on Red Hat: `/var/log/messages`.	"Syslog = catch-all."
L87	`/var/log/btmp`	Binary log of failed login attempts.	Read with `lastb`, not `cat` — binary format.	"B-tmp = Bad-tmp."
L88	`/proc/cpuinfo`	Pseudo-file describing the Central Processing Unit (CPU) — vendor, model, flags, cores.	Used by `nproc`, `lscpu`, and many tools.	"`/proc` = process / kernel info pseudo-FS."

L81 · /etc/passwd
Which file lists every local user with their User ID (UID), Group ID (GID), home directory, and login shell — WITHOUT password hashes?
1. /etc/passwd
2. /etc/shadow
3. /etc/group
4. /etc/sudoers
Answer: A — /etc/passwd
L82 · /etc/shadow
Which file stores the hashed user passwords on a modern Linux system?
1. /etc/passwd
2. /etc/shadow
3. /etc/security
4. /etc/login.defs
Answer: B — /etc/shadow
L83 · /etc/sudoers
Which command should ALWAYS be used to safely edit the /etc/sudoers file?
1. vi /etc/sudoers
2. visudo
3. nano /etc/sudoers
4. sudoedit /etc/sudoers
Answer: B — visudo
L84 · /etc/fstab
Which file defines the filesystems automatically mounted at boot?
1. /etc/fstab
2. /etc/mtab
3. /proc/mounts
4. /etc/init.d/mounts
Answer: A — /etc/fstab
L85 · /var/log/auth.log
On a Debian / Ubuntu host, which log records Secure Shell (SSH) authentication events and sudo usage?
1. /var/log/auth.log
2. /var/log/secure
3. /var/log/syslog
4. /var/log/messages
Answer: A — /var/log/auth.log (Red Hat-family equivalent is /var/log/secure)
L86 · /var/log/syslog
On Debian / Ubuntu, which file is the general-purpose catch-all log for kernel and daemon messages?
1. /var/log/auth.log
2. /var/log/syslog
3. /var/log/dmesg
4. /var/log/kern.log
Answer: B — /var/log/syslog
L87 · /var/log/btmp
Which command reads the binary /var/log/btmp file to display failed login attempts?
1. last
2. lastb
3. cat
4. tail
Answer: B — lastb
L88 · /proc/cpuinfo
Which pseudo-file exposes Central Processing Unit (CPU) vendor, model, cores, and feature flags?
1. /proc/cpuinfo
2. /sys/devices/cpu
3. /dev/cpu
4. /etc/cpuinfo
Answer: A — /proc/cpuinfo

Windows Commands

CPSA Domain E

Every Windows command, PowerShell cmdlet, Sysinternals tool, and offensive utility that appears in the 129-question Windows Assessment domain. Nine groups, including a closing files / hives / paths set. Pay extra attention to the /switch variants of whoami, ipconfig, net user, and wmic — the bank tests these specifically.

Group 1 — Identity & user enumeration

#	Command	Use	Tested invocation	Memory hook
W1	whoami	Print current user context (DOMAIN\username).	`whoami`	"Literally 'who am I?'"
W2	whoami /user	Show current user with Security Identifier (SID).	`whoami /user`	"`/user` = my SID badge."
W3	whoami /groups	Show all group memberships (with SIDs and attributes).	`whoami /groups`	"`/groups` = my clubs."
W4	net user	List local user accounts.	`net user` · `net user jdoe`	"NET user — local."
W5	net user /domain	List domain user accounts (queries the Domain Controller).	`net user /domain` · `net user jdoe /domain`	"`/domain` = ask the Domain Controller."
W6	net localgroup	List local groups (Administrators, Users, etc.).	`net localgroup` · `net localgroup Administrators`	"Local groups, on this box only."
W7	net group /domain	List domain groups (Domain Admins, etc.).	`net group "Domain Admins" /domain`	"Group + `/domain` = AD groups."
W8	dsquery user	Active Directory (AD) user enumeration via Directory Service Query.	`dsquery user -limit 0`	"DS-query = Directory Service query."
W9	Get-ADUser	PowerShell cmdlet for AD user retrieval (Remote Server Administration Tools — RSAT — required).	`Get-ADUser -Filter *`	"Get the AD User."
W10	Get-LocalUser	PowerShell cmdlet for local user accounts.	`Get-LocalUser`	"Get the Local User (modern `net user`)."

W1 · whoami
Which command prints the current user context as DOMAIN\\username?
1. whoami
2. echo %USERNAME%
3. net user
4. id
Answer: A — whoami
W2 · whoami /user
Which command prints the current user's name AND Security Identifier (SID)?
1. whoami /priv
2. whoami /user
3. whoami /sid
4. net user /sid
Answer: B — whoami /user
W3 · whoami /groups
Which command lists every group the current token is a member of, with Security Identifiers (SIDs) and attributes?
1. net user %USERNAME%
2. whoami /groups
3. net localgroup
4. gpresult /r
Answer: B — whoami /groups
W4 · net user
Which command lists every LOCAL user on the host?
1. net user
2. net user /domain
3. dsquery user
4. Get-ADUser
Answer: A — net user
W5 · net user /domain
Which command queries the DOMAIN Controller for the list of domain user accounts?
1. net user
2. net user /domain
3. net localgroup /domain
4. net domain users
Answer: B — net user /domain
W6 · net localgroup
Which command lists the members of the local Administrators group?
1. net group Administrators
2. net localgroup Administrators
3. whoami /groups
4. net user Administrators
Answer: B — net localgroup Administrators
W7 · net group /domain
Which command lists the membership of the Domain Admins group?
1. net localgroup "Domain Admins"
2. net group "Domain Admins" /domain
3. dsquery group "Domain Admins"
4. whoami /groups
Answer: B — net group "Domain Admins" /domain
W8 · dsquery user
Which command enumerates ALL Active Directory (AD) user accounts via the Directory Service Query tool with no result-count cap?
1. dsquery user
2. dsquery user -limit 0
3. net user /domain
4. dsget user *
Answer: B — dsquery user -limit 0
W9 · Get-ADUser
Which PowerShell cmdlet retrieves Active Directory (AD) user objects?
1. Get-User
2. Get-LocalUser
3. Get-ADUser
4. Find-ADUser
Answer: C — Get-ADUser
W10 · Get-LocalUser
Which PowerShell cmdlet lists LOCAL user accounts on the host?
1. Get-User
2. Get-LocalUser
3. Get-ADUser
4. Get-WmiObject Win32_UserAccount
Answer: B — Get-LocalUser

Group 2 — System info & policy

#	Command	Use	Tested invocation	Memory hook
W11	systeminfo	Detailed Operating System (OS) info — version, Basic Input / Output System (BIOS), domain, hotfixes.	`systeminfo`	"SYSTEM-INFO."
W12	hostname	Print the local computer name.	`hostname`	"Just the hostname."
W13	ipconfig	Network interface configuration display / management.	`ipconfig` · `ipconfig /all`	"IP CONFIG."
W14	set	Display all environment variables for the current shell.	`set`	"SET = print env."
W15	wmic process list brief	List running processes via Windows Management Instrumentation Command-line (WMIC).	`wmic process list brief` · `wmic process list full`	"WMI Command-line process snapshot."
W16	wmic qfe list	List installed hotfixes / patches (Quick Fix Engineering).	`wmic qfe list`	"QFE = Quick Fix Engineering = patches."
W17	gpresult /r	Show Resultant Set of Policy (RSoP) for the current user — applied Group Policy Objects.	`gpresult /r`	"Group-Policy RESULT."
W18	gpresult /scope:user /v	VERBOSE Group Policy report scoped to the current user.	`gpresult /scope:user /v`	"`/v` = verbose; `/scope:user` = my policies."
W19	gpupdate /force	Force re-application of all Group Policy Objects (GPOs) immediately.	`gpupdate /force`	"Force-update GP."
W20	wmic csproduct get UUID	Read the system Universally Unique Identifier (UUID) from Computer System product info.	`wmic csproduct get UUID`	"CSproduct UUID = hardware ID."

W11 · systeminfo
Which command displays Operating System (OS) version, Basic Input / Output System (BIOS), domain membership, and ALL installed hotfixes in one report?
1. systeminfo
2. winver
3. ver
4. msinfo32
Answer: A — systeminfo
W12 · hostname
Which command simply prints the local computer name?
1. hostname
2. echo %COMPUTERNAME%
3. systeminfo | findstr Host
4. All of the above
Answer: D — all three return the hostname; A is the canonical answer.
W13 · ipconfig /all
Which command displays detailed network interface info, including Media Access Control (MAC) addresses and Dynamic Host Configuration Protocol (DHCP) lease times?
1. ipconfig
2. ipconfig /all
3. ipconfig /allcompartments
4. netsh interface show
Answer: B — ipconfig /all
W14 · set
Which Command Prompt command prints all environment variables in the current shell?
1. set
2. env
3. env -all
4. printenv
Answer: A — set
W15 · wmic process
Which Windows Management Instrumentation Command-line (WMIC) invocation lists all running processes briefly?
1. wmic process list brief
2. tasklist /v
3. Get-Process
4. wmic process list status
Answer: A — wmic process list brief
W16 · wmic qfe
Which command lists all installed Quick Fix Engineering (QFE) hotfixes / patches?
1. wmic qfe list
2. systeminfo (also lists them)
3. Get-HotFix
4. All of the above
Answer: D — all three return hotfixes; wmic qfe list is the canonical answer.
W17 · gpresult /r
Which command produces a Resultant Set of Policy (RSoP) report showing all applied Group Policy Objects (GPOs) for the current user?
1. gpresult /r
2. gpupdate /force
3. rsop.msc
4. secedit /analyze
Answer: A — gpresult /r
W18 · gpresult /scope:user /v
Which command produces a VERBOSE Group Policy report restricted to the user scope?
1. gpresult /v
2. gpresult /scope:user /v
3. gpresult /scope:computer /v
4. gpresult /h report.html
Answer: B — gpresult /scope:user /v
W19 · gpupdate /force
Which command forces immediate re-application of all Group Policy Objects (GPOs), ignoring caches?
1. gpupdate
2. gpupdate /force
3. gpresult /force
4. secedit /refreshpolicy
Answer: B — gpupdate /force
W20 · wmic csproduct
Which command reads the system Universally Unique Identifier (UUID) from the Computer System product info?
1. wmic csproduct get UUID
2. systeminfo | findstr UUID
3. wmic bios get UUID
4. echo %UUID%
Answer: A — wmic csproduct get UUID

Group 3 — Network & Domain Name System

#	Command	Use	Tested invocation	Memory hook
W21	arp -a	Display the local Address Resolution Protocol (ARP) cache.	`arp -a`	"ARP, all entries."
W22	route print	Display the Internet Protocol (IP) routing table.	`route print`	"Route → print to screen."
W23	netstat -ano	List All connections and listening ports, Numeric, with Owning Process Identifier (PID).	`netstat -ano` · `netstat -anob` (with binary)	"A-N-O = All-Numeric-Owner."
W24	nslookup	Domain Name System (DNS) lookup tool.	`nslookup target.com` · `nslookup -type=any target.com`	"Name Server LOOKUP."
W25	ipconfig /flushdns	Clear the local DNS resolver cache.	`ipconfig /flushdns`	"FLUSH the DNS cache."
W26	ipconfig /displaydns	Show entries currently held in the local DNS resolver cache.	`ipconfig /displaydns`	"DISPLAY the DNS cache."
W27	ipconfig /release	Release the current Dynamic Host Configuration Protocol (DHCP) lease.	`ipconfig /release`	"RELEASE the lease."
W28	ipconfig /registerdns	Re-register the host's records with its DNS server.	`ipconfig /registerdns`	"REGISTER with DNS."
W29	netsh advfirewall	Configure / inspect the Windows Defender Firewall.	`netsh advfirewall firewall show rule name=all` · `netsh advfirewall set allprofiles state off`	"NET-SHell, advanced firewall."
W30	nbtscan	Scan a range for NetBIOS over Transmission Control Protocol / Internet Protocol (NBT) responders — names, Media Access Control (MAC) addresses.	`nbtscan 10.0.0.0/24`	"NBT-SCAN."

W21 · arp -a
Which Windows command displays all entries in the local Address Resolution Protocol (ARP) cache?
1. arp -a
2. arp -e
3. netstat -r
4. ipconfig /all
Answer: A — arp -a
W22 · route print
Which Windows command displays the routing table?
1. route -n
2. route print
3. netstat -r
4. Both B and C
Answer: D — both route print and netstat -r show the table; B is the canonical answer.
W23 · netstat -ano
Which Windows invocation of netstat lists all connections, numerically, with the owning Process Identifier (PID)?
1. netstat -an
2. netstat -ano
3. netstat -b
4. netstat -tulpn
Answer: B — netstat -ano
W24 · nslookup
Which built-in Windows tool performs Domain Name System (DNS) record lookups?
1. nslookup
2. dig
3. host
4. resolve
Answer: A — nslookup
W25 · ipconfig /flushdns
Which command clears the local Domain Name System (DNS) resolver cache?
1. ipconfig /flushdns
2. ipconfig /release
3. ipconfig /registerdns
4. net stop dnscache
Answer: A — ipconfig /flushdns
W26 · ipconfig /displaydns
Which command shows the entries currently held in the local Domain Name System (DNS) resolver cache?
1. ipconfig /displaydns
2. ipconfig /flushdns
3. nslookup
4. Get-DnsClientCache
Answer: A — ipconfig /displaydns
W27 · ipconfig /release
Which command releases the current Dynamic Host Configuration Protocol (DHCP) lease on all interfaces?
1. ipconfig /release
2. ipconfig /renew
3. ipconfig /flushdns
4. net stop dhcp
Answer: A — ipconfig /release
W28 · ipconfig /registerdns
Which command forces re-registration of the host's records with its Domain Name System (DNS) server?
1. ipconfig /registerdns
2. ipconfig /flushdns
3. net dns register
4. nltest /dsregdns
Answer: A — ipconfig /registerdns
W29 · netsh advfirewall
Which command displays every rule in the Windows Defender Firewall?
1. netsh advfirewall firewall show rule name=all
2. netsh firewall show all
3. Get-NetFirewallRule
4. Both A and C
Answer: D — both work; A is the canonical Command Prompt answer.
W30 · nbtscan
Which tool scans a network range for NetBIOS-over-Transmission Control Protocol / Internet Protocol (NBT) responders, showing names and Media Access Control (MAC) addresses?
1. nbtscan
2. nmap -sN
3. net view
4. arp-scan
Answer: A — nbtscan

Group 4 — Sessions, shares & services

#	Command	Use	Tested invocation	Memory hook
W31	net share	List local shares OR create / delete one.	`net share` · `net share Z=C:\folder`	"My shares."
W32	net use	Map a drive letter to a remote share or null-session a target.	`net use Z: \\server\share` · `net use \\target\IPC$ "" /u:""` (null session)	"USE a share as a drive."
W33	net view	List shares published by a remote host.	`net view \\target` · `net view /domain`	"VIEW their shares."
W34	net session	List inbound Server Message Block (SMB) sessions to this host (admin only).	`net session`	"Sessions ON me."
W35	tasklist	List running processes.	`tasklist` · `tasklist /v` (verbose) · `tasklist /svc`	"TASK LIST."
W36	taskkill	Terminate a process by Process Identifier (PID) or name.	`taskkill /PID 1234 /F` · `taskkill /IM notepad.exe /F`	"TASK KILL — `/F` = force."
W37	sc query	Enumerate Windows services via the Service Control manager.	`sc query` · `sc query type= service state= all`	"SC = Service Control."
W38	sc stop	Stop a running Windows service.	`sc stop ServiceName`	"SC stop = service halt."
W39	schtasks /query	List scheduled tasks (modern replacement for `at`).	`schtasks /query /fo LIST /v`	"SCH-TASKS query."
W40	driverquery	List installed device drivers and modules.	`driverquery` · `driverquery /v`	"DRIVER QUERY."

W31 · net share
Which command lists every share published by the local host?
1. net share
2. net view
3. net use
4. smbclient -L localhost
Answer: A — net share
W32 · net use
Which command opens a Server Message Block (SMB) NULL session against the Inter-Process Communication (IPC$) share of a remote host?
1. net use \\target\IPC$ "" /u:""
2. net session \\target
3. net view \\target
4. net share \\target\IPC$
Answer: A — net use \\target\IPC$ "" /u:""
W33 · net view
Which command lists the shares published by a REMOTE host?
1. net share \\target
2. net view \\target
3. net use \\target
4. nbtstat -a target
Answer: B — net view \\target
W34 · net session
Which command lists inbound Server Message Block (SMB) sessions to the local host (administrator privilege required)?
1. net session
2. net use
3. net share
4. quser
Answer: A — net session
W35 · tasklist /v
Which Windows command lists all running processes WITH window title and user context?
1. tasklist
2. tasklist /v
3. tasklist /svc
4. wmic process
Answer: B — tasklist /v
W36 · taskkill
Which command forcefully terminates Process Identifier (PID) 1234?
1. kill 1234
2. taskkill /PID 1234 /F
3. tskill 1234 /F
4. net stop 1234
Answer: B — taskkill /PID 1234 /F
W37 · sc query
Which command enumerates installed Windows services via the Service Control manager?
1. net start
2. sc query
3. tasklist /svc
4. Get-Service
Answer: B — sc query
W38 · sc stop
Which command stops a running Windows service named Spooler?
1. sc stop Spooler
2. net stop Spooler
3. Stop-Service Spooler
4. All of the above
Answer: D — all three stop the service; A is the canonical Service Control answer.
W39 · schtasks /query
Which command lists all scheduled tasks on the local host in verbose list format?
1. at
2. schtasks /query /fo LIST /v
3. Get-ScheduledTask
4. tasklist /svc
Answer: B — schtasks /query /fo LIST /v
W40 · driverquery
Which command lists every installed device driver on the host?
1. driverquery
2. sc query type= driver
3. Both A and B
4. tasklist /m
Answer: C — both list drivers; A is the canonical answer.

Group 5 — Files, registry & policy

#	Command	Use	Tested invocation	Memory hook
W41	dir	List directory contents (Command Prompt equivalent of `ls`).	`dir` · `dir /a /s` (all, recursive)	"DIRectory."
W42	type	Display file contents (cmd equivalent of `cat`).	`type C:\file.txt`	"TYPE the file out."
W43	copy	Copy a file.	`copy src.txt dst.txt`	"COPY."
W44	del	Delete a file (cmd equivalent of `rm`).	`del file.txt` · `del /q /s *`	"DELete."
W45	reg query	Read a registry key or value.	`reg query HKLM\Software` · `reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run`	"REGistry QUERY."
W46	reg.exe (save)	Save a registry hive offline — used to dump the Security Account Manager (SAM) hive for cracking.	`reg save HKLM\SAM sam.hive` · `reg save HKLM\SYSTEM system.hive`	"REG save = grab the hive."
W47	ldp.exe	Built-in graphical Lightweight Directory Access Protocol (LDAP) / LDAP over Secure Sockets Layer (LDAPS) probe.	`ldp.exe` (open, Connection → Connect)	"LDP = LDAP Probe."
W48	netdom query fsmo	Show Flexible Single Master Operation (FSMO) role holders for the domain.	`netdom query fsmo`	"Net-Dom: who holds FSMO?"
W49	netdom query trust	List Active Directory (AD) trust relationships.	`netdom query trust` · `netdom trust /d:domain`	"Net-Dom: who do we trust?"
W50	secedit /export	Export the local Security Policy to an Initialization (INF) file.	`secedit /export /cfg out.inf`	"Security EDIT export."

W41 · dir
Which Command Prompt command lists files and directories?
1. ls
2. dir
3. list
4. show
Answer: B — dir
W42 · type
Which Command Prompt command prints a file's contents to the console — the Windows equivalent of Linux cat?
1. print
2. type
3. cat
4. echo
Answer: B — type
W43 · copy
Which Command Prompt command copies a file from a source to a destination?
1. cp
2. copy
3. xcopy (also valid)
4. Both B and C
Answer: D — copy and xcopy both work; B is the canonical answer.
W44 · del
Which Command Prompt command deletes a file?
1. rm
2. del
3. erase (alias)
4. Both B and C
Answer: D — del and erase are aliases; B is the canonical answer.
W45 · reg query
Which command queries the Registry for keys or values under HKEY_LOCAL_MACHINE\SOFTWARE?
1. reg query HKLM\Software
2. regedit /q HKLM\Software
3. regquery HKLM\Software
4. Get-Registry HKLM\Software
Answer: A — reg query HKLM\Software
W46 · reg save
Which command saves the Security Account Manager (SAM) registry hive offline for later password-hash extraction?
1. reg save HKLM\SAM sam.hive
2. reg export HKLM\SAM sam.reg
3. reg copy HKLM\SAM sam
4. copy C:\Windows\System32\config\SAM . (locked while online)
Answer: A — reg save HKLM\SAM sam.hive
W47 · ldp.exe
Which BUILT-IN Windows tool is a graphical Lightweight Directory Access Protocol (LDAP) client useful for verifying LDAP / LDAP over Secure Sockets Layer (LDAPS) connectivity and enumerating Active Directory (AD)?
1. ldap.exe
2. ldp.exe
3. adsiedit.msc
4. dsa.msc
Answer: B — ldp.exe
W48 · netdom query fsmo
Which command identifies the five Flexible Single Master Operation (FSMO) role holders in an Active Directory (AD) forest?
1. netdom query fsmo
2. net group "FSMO"
3. dcdiag /test:FSMO
4. repadmin /showfsmo
Answer: A — netdom query fsmo
W49 · netdom query trust
Which command enumerates the trust relationships of the current Active Directory (AD) domain?
1. netdom query trust
2. nltest /domain_trusts (also valid)
3. dsquery * "CN=System,DC=...,DC=..."
4. Both A and B
Answer: D — both work; A is the canonical answer.
W50 · secedit /export
Which command exports the local Security Policy to an Initialization (INF) file for review?
1. secedit /export /cfg out.inf
2. gpresult /h out.html
3. secpol.msc /export
4. net accounts /export
Answer: A — secedit /export /cfg out.inf

Group 6 — PowerShell & Kerberos client

#	Command	Use	Tested invocation	Memory hook
W51	Get-Process	Enumerate running processes.	`Get-Process` · `Get-Process \| Where-Object Path`	"Get-Process — modern `tasklist`."
W52	Get-Service	List services and their states.	`Get-Service` · `Get-Service \| ? Status -eq Running`	"Get-Service — modern `sc query`."
W53	Get-EventLog	Read entries from the legacy event-log API.	`Get-EventLog -LogName Security -Newest 50`	"Get-EventLog (modern equivalent: `Get-WinEvent`)."
W54	Get-CimInstance	Query system info via Common Information Model (CIM) — successor to legacy WMI cmdlets.	`Get-CimInstance Win32_OperatingSystem`	"CIM = modern WMI."
W55	Get-WmiObject	Legacy Windows Management Instrumentation (WMI) query cmdlet.	`Get-WmiObject Win32_BIOS`	"Get-WMI-Object — legacy."
W56	Get-ChildItem	List items in a path (filesystem, registry, certificate store).	`Get-ChildItem C:\` · alias `gci`, `dir`, `ls`	"Get-ChildItem (works on registry too!)."
W57	Enter-PSSession	Open an INTERACTIVE PowerShell remoting session over Windows Remote Management (WinRM).	`Enter-PSSession -ComputerName target`	"ENTER a remote shell."
W58	Invoke-Command	Run a script block against one or many remote hosts via WinRM.	`Invoke-Command -ComputerName target -ScriptBlock { Get-Process }`	"INVOKE a command remotely."
W59	Set-ExecutionPolicy	Configure PowerShell script execution policy.	`Set-ExecutionPolicy Bypass -Scope Process` (in-memory only — common offensive technique)	"Set-ExecutionPolicy Bypass -Scope Process = in-memory bypass."
W60	klist	Display cached Kerberos tickets and Ticket-Granting Tickets (TGTs).	`klist` · `klist purge`	"Kerberos LIST."

W51 · Get-Process
Which PowerShell cmdlet lists running processes?
1. Get-Process
2. ps (alias)
3. gps (alias)
4. All of the above
Answer: D — all three are aliases for the same cmdlet.
W52 · Get-Service
Which PowerShell cmdlet lists Windows services and their current state?
1. Get-Service
2. Get-Process
3. Get-CimInstance Win32_Service (also valid)
4. Both A and C
Answer: D — both work; A is the canonical answer.
W53 · Get-EventLog
Which PowerShell cmdlet reads the LEGACY event-log API for the most recent 50 Security entries?
1. Get-WinEvent -LogName Security -MaxEvents 50
2. Get-EventLog -LogName Security -Newest 50
3. wevtutil qe Security /c:50
4. All of the above
Answer: B — Get-EventLog -LogName Security -Newest 50 (canonical legacy answer).
W54 · Get-CimInstance
Which PowerShell cmdlet is the MODERN replacement for Get-WmiObject?
1. Get-WmiObject
2. Get-CimInstance
3. Invoke-WmiMethod
4. Get-CimAssociatedInstance
Answer: B — Get-CimInstance
W55 · Get-WmiObject
Which LEGACY PowerShell cmdlet queries the Windows Management Instrumentation (WMI) repository?
1. Get-WmiObject
2. Get-CimInstance
3. Invoke-WmiQuery
4. wmic
Answer: A — Get-WmiObject
W56 · Get-ChildItem
Which PowerShell cmdlet lists items in a path AND can also enumerate Registry keys (e.g. HKLM:)?
1. Get-ChildItem
2. Get-Item
3. Get-Content
4. Get-Location
Answer: A — Get-ChildItem
W57 · Enter-PSSession
Which PowerShell cmdlet opens an INTERACTIVE remote shell over Windows Remote Management (WinRM)?
1. Enter-PSSession
2. Invoke-Command
3. New-PSSession
4. Connect-PSSession
Answer: A — Enter-PSSession
W58 · Invoke-Command
Which PowerShell cmdlet runs a SCRIPT BLOCK against one or many remote computers (non-interactive)?
1. Enter-PSSession
2. Invoke-Command
3. Invoke-RestMethod
4. Invoke-Expression
Answer: B — Invoke-Command
W59 · Set-ExecutionPolicy
Which command bypasses PowerShell's execution policy ONLY for the current process — a common offensive technique?
1. Set-ExecutionPolicy Bypass -Scope Process
2. Set-ExecutionPolicy Unrestricted
3. powershell.exe -ExecutionPolicy Bypass (also valid)
4. Both A and C
Answer: D — both methods produce a per-process bypass; A is the canonical answer.
W60 · klist
Which built-in command displays the Kerberos ticket cache for the current logon session?
1. klist
2. kerberos /list
3. net ticket
4. Get-KerberosTicket
Answer: A — klist

Group 7 — Sysinternals & Server Message Block tools

#	Tool	Use	Tested invocation	Memory hook
W61	Process Explorer	Sysinternals Graphical User Interface (GUI) process tree — shows DLLs, file handles, integrity level.	(GUI) — `procexp.exe`	"Task Manager on steroids."
W62	Autoruns	Sysinternals enumerator of all autostart locations — registry Run keys, scheduled tasks, drivers.	(GUI) — `autoruns.exe`	"AUTORUNS = persistence audit."
W63	Sysmon	System Monitor — kernel-mode telemetry sensor that writes detailed events to the Windows Event Log.	`sysmon -i config.xml` (install)	"SYS-MON = system monitor sensor."
W64	smbclient	Linux Server Message Block (SMB) client — list and access shares.	`smbclient -L \\\\target -N` · `smbclient \\\\target\\share -U user`	"SMB client (often run from Linux)."
W65	smbmap	Map SMB shares with read / write Access Control List (ACL) summary.	`smbmap -H target -u "" -p ""`	"SMB MAP — what can I read / write?"
W66	enum4linux	Wraps `smbclient`, `rpcclient`, `nmblookup` for SMB / Remote Procedure Call (RPC) enumeration.	`enum4linux -a target`	"ENUM-4-LINUX — one-shot SMB recon."
W67	rpcclient	Interactive Remote Procedure Call (RPC) client — supports null sessions for legacy hosts.	`rpcclient -U "" target` · then `enumdomusers`	"RPC client = ad-hoc RPC commands."
W68	rpcdump	Discover Remote Procedure Call (RPC) services and bindings (Impacket / Sysinternals variants).	`rpcdump.py @target`	"RPC dump = find every endpoint."
W69	SetSPN	Manage / enumerate Service Principal Names (SPNs) — the Kerberoasting prep tool.	`setspn -Q /` (find all SPNs in the forest)	"set Service Principal Name."
W70	Responder	Link-Local Multicast Name Resolution (LLMNR) / NetBIOS Name Service (NBT-NS) / Multicast Domain Name System (mDNS) poisoner — captures Net New Technology LAN Manager version 2 (NTLMv2) hashes.	`responder -I eth0`	"RESPONDER answers broadcasts and steals creds."

W61 · Process Explorer
Which Sysinternals tool provides a Graphical User Interface (GUI) process tree showing loaded DLLs, file handles, and integrity level?
1. Task Manager
2. Process Explorer
3. Autoruns
4. Process Monitor
Answer: B — Process Explorer
W62 · Autoruns
Which Sysinternals tool enumerates EVERY autostart location — Registry Run keys, scheduled tasks, services, drivers, browser helpers — for persistence audits?
1. Process Explorer
2. Autoruns
3. Sysmon
4. PsExec
Answer: B — Autoruns
W63 · Sysmon
Which Sysinternals tool is a KERNEL-MODE telemetry sensor that writes detailed process, network, and file events to the Windows Event Log?
1. Process Monitor
2. Process Explorer
3. Sysmon
4. Autoruns
Answer: C — Sysmon
W64 · smbclient
Which Linux command lists Server Message Block (SMB) shares on a remote Windows host without supplying credentials?
1. smbclient -L \\\\target -N
2. smbmap -H target (also valid)
3. net view \\target (Windows-only)
4. Both A and B
Answer: D — both Linux options work; A is the canonical answer.
W65 · smbmap
Which tool maps Server Message Block (SMB) shares and reports per-share read / write Access Control List (ACL) permissions?
1. smbclient
2. smbmap
3. enum4linux
4. nbtscan
Answer: B — smbmap
W66 · enum4linux
Which one-shot tool wraps smbclient, rpcclient, and nmblookup for combined Server Message Block (SMB) and Remote Procedure Call (RPC) enumeration?
1. enum4linux
2. smbenum
3. smbexec
4. rpcdump
Answer: A — enum4linux
W67 · rpcclient
Which tool opens an interactive Remote Procedure Call (RPC) session — including legacy null sessions — for manual enumeration commands like enumdomusers?
1. rpcclient -U "" target
2. rpcdump @target
3. smbclient -L target
4. impacket-rpcdump
Answer: A — rpcclient -U "" target
W68 · rpcdump
Which tool DISCOVERS all Remote Procedure Call (RPC) endpoints exposed by a host?
1. rpcclient
2. rpcdump
3. nbtscan
4. nmap --script smb-enum-shares
Answer: B — rpcdump
W69 · SetSPN
Which built-in Windows tool enumerates ALL Service Principal Names (SPNs) in the forest — a prerequisite for Kerberoasting?
1. setspn -Q */*
2. klist spn
3. nltest /spn
4. dsquery user -spn
Answer: A — setspn -Q */*
W70 · Responder
Which tool poisons Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) responses to capture Net New Technology LAN Manager version 2 (NTLMv2) challenge / response hashes?
1. Mimikatz
2. Responder
3. BloodHound
4. Wireshark
Answer: B — Responder

Group 8 — Offensive Active Directory tooling

#	Tool	Use	Tested invocation	Memory hook
W71	Mimikatz	Extracts credentials, hashes, and Kerberos tickets from `lsass.exe` memory.	`privilege::debug` · `sekurlsa::logonpasswords`	"MIMI-KATZ — the credential vacuum."
W72	kekeo	Mimikatz's Kerberos sister tool — Authentication Service (AS) requests, Pass-the-Ticket (PtT), Pass-the-Cache.	`tgt::ask /user:jdoe /domain:corp.local`	"KEKEO = Kerberos sibling."
W73	krb5dump	Extract / decrypt Kerberos tickets offline from a hive or capture.	`krb5dump <file>`	"KRB5 dump = ticket extraction."
W74	pwdump	Legacy SAM hash extractor (when the registry hive is accessible offline).	`pwdump SYSTEM SAM`	"PW DUMP = password dump (offline)."
W75	Rubeus	Modern Kerberos toolkit — Kerberoasting, Authentication Service Response (AS-REP) roasting, ticket export / import.	`Rubeus.exe kerberoast` · `Rubeus.exe asreproast`	"RUBEUS = the Kerberos toolkit."
W76	BloodHound	Visualises Active Directory (AD) attack paths from collected metadata.	(consumes data from SharpHound / AzureHound)	"BLOODHOUND tracks the path."
W77	SharpHound	Collector that walks AD and exports relationship data for BloodHound to ingest.	`SharpHound.exe -c All`	"SHARP collects, BLOODHOUND visualises."
W78	CrackMapExec / NetExec	Automated network enumeration over Server Message Block (SMB), Windows Remote Management (WinRM), Lightweight Directory Access Protocol (LDAP), Remote Procedure Call (RPC).	`crackmapexec smb 10.0.0.0/24 -u user -p pass` · modern fork: `netexec`	"CME = the swiss-army knife."
W79	psexec.py	Impacket script — remote SYSTEM-level command execution via SMB.	`psexec.py user:pass@target`	"Impacket PSExec — Linux-side lateral."
W80	secretsdump.py	Impacket script — extract Security Account Manager (SAM), Local Security Authority (LSA), and NT Directory Services (NTDS.dit) hashes remotely.	`secretsdump.py user:pass@target`	"SECRETS DUMP = remote NTDS dump."

W71 · Mimikatz
Which tool extracts plaintext passwords, hashes, and Kerberos tickets from the memory of lsass.exe?
1. Mimikatz
2. Wireshark
3. Process Monitor
4. Responder
Answer: A — Mimikatz
W72 · kekeo
Which tool — Mimikatz's sibling — handles Authentication Service (AS) requests and Pass-the-Ticket (PtT) operations against Kerberos?
1. Rubeus
2. kekeo
3. BloodHound
4. krb5dump
Answer: B — kekeo
W73 · krb5dump
Which tool extracts and decrypts Kerberos tickets OFFLINE from captured material?
1. Mimikatz
2. krb5dump
3. Responder
4. SetSPN
Answer: B — krb5dump
W74 · pwdump
Which legacy tool extracts Security Account Manager (SAM) password hashes from offline registry hives (SYSTEM + SAM)?
1. pwdump
2. fgdump (also valid)
3. secretsdump.py
4. All of the above
Answer: D — all three can dump SAM hashes; A is the canonical legacy answer.
W75 · Rubeus
Which modern Kerberos toolkit performs Kerberoasting, Authentication Service Response (AS-REP) roasting, and ticket import / export from Windows?
1. Mimikatz
2. Rubeus
3. BloodHound
4. kekeo
Answer: B — Rubeus
W76 · BloodHound
Which tool VISUALISES Active Directory (AD) attack paths from collected relationship data?
1. SharpHound
2. BloodHound
3. PingCastle
4. ADExplorer
Answer: B — BloodHound
W77 · SharpHound
Which collector walks Active Directory (AD) and exports the dataset for BloodHound to ingest?
1. SharpHound
2. BloodHound
3. PingCastle
4. PowerView
Answer: A — SharpHound
W78 · CrackMapExec
Which automated tool enumerates and attacks across Server Message Block (SMB), Windows Remote Management (WinRM), Lightweight Directory Access Protocol (LDAP), and Remote Procedure Call (RPC) in one wrapper?
1. Metasploit
2. CrackMapExec / NetExec
3. Impacket
4. Responder
Answer: B — CrackMapExec / NetExec
W79 · psexec.py
Which Impacket script executes commands as SYSTEM on a remote Windows host via Server Message Block (SMB)?
1. psexec.py
2. smbexec.py (also valid)
3. wmiexec.py
4. Both A and B
Answer: D — both run SMB-based execution; A is the canonical answer.
W80 · secretsdump.py
Which Impacket script extracts Security Account Manager (SAM), Local Security Authority (LSA) Secrets, and NT Directory Services (NTDS.dit) hashes from a target?
1. secretsdump.py
2. psexec.py
3. wmiexec.py
4. impacket-getuserspns
Answer: A — secretsdump.py

Group 9 — Critical files, hives & paths

#	Path	Use	Notes	Memory hook
W81	`C:\Windows\System32\config\SAM`	Local Security Account Manager (SAM) database — local user password hashes.	Locked while running; dump via `reg save` or offline copy.	"SAM = local hashes."
W82	`C:\Windows\System32\config\SYSTEM`	SYSTEM registry hive — contains the Boot Key required to decrypt SAM hashes.	Always grab SYSTEM with SAM.	"SYSTEM = the BOOTKEY for SAM."
W83	`NTDS.dit`	Active Directory (AD) database — contains every domain user hash.	Lives on Domain Controllers under `%SystemRoot%\NTDS\`; extracted via shadow copy or `secretsdump.py`.	"NTDS.dit = the AD crown jewel."
W84	`lsass.exe`	Local Security Authority Subsystem — holds plaintext credentials, Kerberos tickets, and Net New Technology LAN Manager (NTLM) hashes in memory.	Mimikatz's primary target; protected on modern hosts by Credential Guard / Local Security Authority Protected Process (LSA RunAsPPL).	"lsass = the live wallet."
W85	LSA Secrets	Local Security Authority Secrets — stored under `HKLM\SECURITY\Policy\Secrets`; cached domain creds, service account passwords, auto-logon passwords.	Dumped offline alongside SAM via `secretsdump.py -lsa`.	"LSA Secrets = cached domain creds."
W86	`\\domain\SYSVOL`	Domain-replicated share containing Group Policy Objects (GPOs), logon scripts, and (historically) Group Policy Preferences (GPP) `cpassword` attributes.	Search SYSVOL for `cpassword=` — older Group Policy Preferences leaked weakly-encrypted passwords.	"SYSVOL = GPO + script share."
W87	`\\domain\NETLOGON`	Domain-replicated share for logon scripts and (legacy) Distributed File System (DFS) referrals.	Read access for all authenticated users — content is high-value recon.	"NETLOGON = logon scripts."
W88	`C:\Windows\System32\drivers\etc\hosts`	Local hosts file — overrides Domain Name System (DNS) resolution per host.	Modifications by malware are a classic Indicator of Compromise (IoC).	"Drivers\etc\hosts — Windows' /etc/hosts."
W89	`%SystemRoot%`	Environment variable for the Windows installation directory — almost always `C:\Windows`.	Used in scripts and Group Policy paths; not a literal directory name.	"%SystemRoot% ≈ C:\Windows."
W90	`HKEY_LOCAL_MACHINE\SOFTWARE`	Registry hive holding installed software keys and machine-wide policy.	The Run / RunOnce / Image File Execution Options keys live under `HKLM\Software\Microsoft\Windows\CurrentVersion\` and `...\Windows NT\CurrentVersion\`.	"HKLM = the machine; HKCU = the user."

W81 · SAM
Which file holds local user password hashes on a Windows host?
1. C:\Windows\System32\config\SAM
2. C:\Windows\System32\config\SECURITY
3. C:\Windows\System32\config\SYSTEM
4. NTDS.dit
Answer: A — SAM
W82 · SYSTEM hive
When dumping the Security Account Manager (SAM) database offline, which OTHER hive must be captured to derive the Boot Key needed for decryption?
1. SOFTWARE
2. SYSTEM
3. SECURITY
4. DEFAULT
Answer: B — SYSTEM
W83 · NTDS.dit
Which file on a Domain Controller contains every domain user's password hash?
1. SAM
2. NTDS.dit
3. LSA Secrets
4. SYSVOL
Answer: B — NTDS.dit
W84 · lsass.exe
Which Windows process holds plaintext credentials, Kerberos tickets, and Net New Technology LAN Manager (NTLM) hashes in memory and is the primary target of Mimikatz?
1. winlogon.exe
2. lsass.exe
3. services.exe
4. csrss.exe
Answer: B — lsass.exe
W85 · LSA Secrets
Which store holds cached domain credentials, service-account passwords, and auto-logon passwords on a Windows host?
1. Security Account Manager (SAM)
2. Local Security Authority (LSA) Secrets
3. Credential Manager Vault
4. Trusted Platform Module (TPM)
Answer: B — Local Security Authority (LSA) Secrets
W86 · SYSVOL
Which Active Directory (AD) share replicates Group Policy Objects (GPOs) and logon scripts to every Domain Controller — and historically leaked Group Policy Preferences (GPP) cpassword values?
1. NETLOGON
2. SYSVOL
3. ADMIN$
4. IPC$
Answer: B — SYSVOL
W87 · NETLOGON
Which Active Directory (AD) share is used to distribute logon scripts to clients, and is readable by every authenticated user?
1. NETLOGON
2. SYSVOL
3. C$
4. ADMIN$
Answer: A — NETLOGON
W88 · hosts file
What is the canonical path of the Windows local hosts file used to override Domain Name System (DNS) resolution?
1. C:\Windows\System32\drivers\etc\hosts
2. C:\Windows\System32\config\hosts
3. C:\Windows\hosts
4. C:\hosts
Answer: A — C:\Windows\System32\drivers\etc\hosts
W89 · %SystemRoot%
Which environment variable expands to the Windows installation directory (commonly C:\Windows)?
1. %SystemRoot%
2. %WinDir% (alias)
3. %ProgramFiles%
4. Both A and B
Answer: D — %SystemRoot% and %WinDir% both resolve to C:\Windows; A is the canonical answer.
W90 · HKLM\SOFTWARE
Under which Registry hive do the persistence-relevant Run / RunOnce / Image File Execution Options keys live?
1. HKEY_CURRENT_USER\SOFTWARE (also valid for per-user persistence)
2. HKEY_LOCAL_MACHINE\SOFTWARE
3. HKEY_USERS
4. Both A and B
Answer: D — both HKLM\SOFTWARE and HKCU\SOFTWARE hold these keys; B is the machine-wide canonical answer.