312-50V11 · Question #1015
Mary, a penetration tester, has found password hashes in a client system she managed to breach. She needs to use these passwords to continue with the test, but she does not have time to find the passw
The correct answer is D. Pass the hash. Pass-the-hash lets an attacker authenticate to a system using a captured NTLM hash directly, bypassing the need to crack it into plaintext.
Question
Mary, a penetration tester, has found password hashes in a client system she managed to breach. She needs to use these passwords to continue with the test, but she does not have time to find the passwords that correspond to these hashes. Which type of attack can she implement in order to continue?
Options
- ALLMNR/NBT-NS poisoning
- BInternal monologue attack
- CPass the ticket
- DPass the hash
How the community answered
(36 responses)- B6% (2)
- C3% (1)
- D92% (33)
Why each option
Pass-the-hash lets an attacker authenticate to a system using a captured NTLM hash directly, bypassing the need to crack it into plaintext.
LLMNR/NBT-NS poisoning is a credential capture technique that intercepts broadcast name resolution requests to harvest NTLMv2 hashes from other hosts, and is used to obtain hashes rather than to leverage already-captured ones.
An internal monologue attack extracts NTLM hashes from a compromised system's memory without generating network traffic, making it a hash-gathering method rather than a technique for authenticating with hashes that have already been collected.
Pass-the-ticket is a Kerberos-specific attack that uses stolen TGT or service tickets to impersonate users, and requires Kerberos ticket material rather than the NTLM password hashes Mary captured from the breached system.
Pass-the-hash is a lateral movement technique where a captured NTLM or LM hash is presented directly to authentication protocols such as SMB, WMI, or RDP without first recovering the plaintext password. Since Mary has the hashes but lacks time to crack them, she can inject them into authentication requests to gain access to other systems on the network, effectively reusing stolen credentials in their hashed form.
Concept tested: Pass-the-hash lateral movement using captured NTLM hashes
Source: https://attack.mitre.org/techniques/T1550/002/
Topics
Community Discussion
No community discussion yet for this question.