nerdexam
EC-Council

312-50V11 · Question #1015

Mary, a penetration tester, has found password hashes in a client system she managed to breach. She needs to use these passwords to continue with the test, but she does not have time to find the passw

The correct answer is D. Pass the hash. Pass-the-hash lets an attacker authenticate to a system using a captured NTLM hash directly, bypassing the need to crack it into plaintext.

System Hacking

Question

Mary, a penetration tester, has found password hashes in a client system she managed to breach. She needs to use these passwords to continue with the test, but she does not have time to find the passwords that correspond to these hashes. Which type of attack can she implement in order to continue?

Options

  • ALLMNR/NBT-NS poisoning
  • BInternal monologue attack
  • CPass the ticket
  • DPass the hash

How the community answered

(36 responses)
  • B
    6% (2)
  • C
    3% (1)
  • D
    92% (33)

Why each option

Pass-the-hash lets an attacker authenticate to a system using a captured NTLM hash directly, bypassing the need to crack it into plaintext.

ALLMNR/NBT-NS poisoning

LLMNR/NBT-NS poisoning is a credential capture technique that intercepts broadcast name resolution requests to harvest NTLMv2 hashes from other hosts, and is used to obtain hashes rather than to leverage already-captured ones.

BInternal monologue attack

An internal monologue attack extracts NTLM hashes from a compromised system's memory without generating network traffic, making it a hash-gathering method rather than a technique for authenticating with hashes that have already been collected.

CPass the ticket

Pass-the-ticket is a Kerberos-specific attack that uses stolen TGT or service tickets to impersonate users, and requires Kerberos ticket material rather than the NTLM password hashes Mary captured from the breached system.

DPass the hashCorrect

Pass-the-hash is a lateral movement technique where a captured NTLM or LM hash is presented directly to authentication protocols such as SMB, WMI, or RDP without first recovering the plaintext password. Since Mary has the hashes but lacks time to crack them, she can inject them into authentication requests to gain access to other systems on the network, effectively reusing stolen credentials in their hashed form.

Concept tested: Pass-the-hash lateral movement using captured NTLM hashes

Source: https://attack.mitre.org/techniques/T1550/002/

Topics

#pass the hash#NTLM hash#credential reuse#lateral movement

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice