312-50V10 · Question #661
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is
The correct answer is A. Hardware, Software, and Sniffing.. Retrieving passwords from hosts and servers encompasses three distinct techniques - hardware keyloggers, software keyloggers, and network sniffing - making all three the most complete answer.
Question
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?
Options
- AHardware, Software, and Sniffing.
- BHardware and Software Keyloggers.
- CPasswords are always best obtained using Hardware key loggers.
- DSoftware only, they are the most effective.
How the community answered
(27 responses)- A93% (25)
- C4% (1)
- D4% (1)
Why each option
Retrieving passwords from hosts and servers encompasses three distinct techniques - hardware keyloggers, software keyloggers, and network sniffing - making all three the most complete answer.
Hardware keyloggers physically intercept keystrokes between the keyboard and computer. Software keyloggers capture keystrokes at the OS or application layer. Network sniffing captures credentials transmitted in cleartext protocols such as Telnet, FTP, or basic HTTP - together these three methods cover the full attack surface for password retrieval across both local and network vectors.
Hardware and software keyloggers are valid but this answer omits network sniffing, which is a significant and commonly exploited method for capturing credentials in transit.
Hardware keyloggers require physical access and are therefore not always the most practical method; software keyloggers and sniffing are often more scalable and easier to deploy remotely.
Software-only methods miss hardware keyloggers and network sniffing, both of which are widely documented and effective password-retrieval techniques in real-world assessments.
Concept tested: Password retrieval methods - hardware, software, and sniffing
Source: https://owasp.org/www-community/attacks/Credential_stuffing
Topics
Community Discussion
No community discussion yet for this question.