nerdexam
EC-Council

312-50V11 · Question #664

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is u

The correct answer is B. Kerberos is preventing it.. Windows 2000 domain environments use Kerberos as the default authentication protocol, which does not transmit reusable NTLM/LM password hashes over the wire, so L0phtcrack finds no crackable material to capture.

Sniffing

Question

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this?

Options

  • AThere is a NIDS present on that segment.
  • BKerberos is preventing it.
  • CWindows logons cannot be sniffed.
  • DL0phtcrack only sniffs logons to web servers.

How the community answered

(49 responses)
  • A
    8% (4)
  • B
    71% (35)
  • C
    16% (8)
  • D
    4% (2)

Why each option

Windows 2000 domain environments use Kerberos as the default authentication protocol, which does not transmit reusable NTLM/LM password hashes over the wire, so L0phtcrack finds no crackable material to capture.

AThere is a NIDS present on that segment.

A NIDS passively monitors and alerts on traffic but does not block or interfere with packet capture performed by another host on the same network segment.

BKerberos is preventing it.Correct

Windows 2000 introduced Kerberos v5 as the primary domain authentication protocol, replacing NTLM for domain logons. L0phtcrack is specifically designed to capture and offline-crack NTLM/LM challenge-response hashes from SMB traffic, but Kerberos replaces that exchange with encrypted Ticket Granting Tickets (TGTs) that do not expose password hashes. Even on a hub where all frames are visible to every port, the tool finds no usable NTLM hash material because Kerberos is handling authentication.

CWindows logons cannot be sniffed.

Windows logons can be sniffed when NTLM or LM authentication is negotiated - for example, on workgroup connections or legacy fallback scenarios - so this is not universally true.

DL0phtcrack only sniffs logons to web servers.

L0phtcrack is designed to sniff SMB/NetBIOS authentication exchanges on local network segments, not HTTP-based web server logons.

Concept tested: Kerberos authentication preventing NTLM hash sniffing

Source: https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview

Topics

#Kerberos#SMB sniffing#L0phtcrack#authentication protocols

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice