312-50V11 · Question #664
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is u
The correct answer is B. Kerberos is preventing it.. Windows 2000 domain environments use Kerberos as the default authentication protocol, which does not transmit reusable NTLM/LM password hashes over the wire, so L0phtcrack finds no crackable material to capture.
Question
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this?
Options
- AThere is a NIDS present on that segment.
- BKerberos is preventing it.
- CWindows logons cannot be sniffed.
- DL0phtcrack only sniffs logons to web servers.
How the community answered
(49 responses)- A8% (4)
- B71% (35)
- C16% (8)
- D4% (2)
Why each option
Windows 2000 domain environments use Kerberos as the default authentication protocol, which does not transmit reusable NTLM/LM password hashes over the wire, so L0phtcrack finds no crackable material to capture.
A NIDS passively monitors and alerts on traffic but does not block or interfere with packet capture performed by another host on the same network segment.
Windows 2000 introduced Kerberos v5 as the primary domain authentication protocol, replacing NTLM for domain logons. L0phtcrack is specifically designed to capture and offline-crack NTLM/LM challenge-response hashes from SMB traffic, but Kerberos replaces that exchange with encrypted Ticket Granting Tickets (TGTs) that do not expose password hashes. Even on a hub where all frames are visible to every port, the tool finds no usable NTLM hash material because Kerberos is handling authentication.
Windows logons can be sniffed when NTLM or LM authentication is negotiated - for example, on workgroup connections or legacy fallback scenarios - so this is not universally true.
L0phtcrack is designed to sniff SMB/NetBIOS authentication exchanges on local network segments, not HTTP-based web server logons.
Concept tested: Kerberos authentication preventing NTLM hash sniffing
Source: https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Topics
Community Discussion
No community discussion yet for this question.