312-50V11 · Question #679
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are req
The correct answer is D. Hybrid Attack. A hybrid attack is the fastest option here because it combines dictionary words with rule-based mutations that mimic how real users satisfy complex password policies.
Question
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?
Options
- AOnline Attack
- BDictionary Attack
- CBrute Force Attack
- DHybrid Attack
How the community answered
(23 responses)- A4% (1)
- B9% (2)
- C4% (1)
- D83% (19)
Why each option
A hybrid attack is the fastest option here because it combines dictionary words with rule-based mutations that mimic how real users satisfy complex password policies.
An online attack sends guesses directly to a live authentication service, which is throttled by lockout policies and network latency, making it the slowest and most detectable option.
A pure dictionary attack tests unmodified wordlist entries and would largely fail against an 8-character policy requiring mixed character categories, since most dictionary words alone will not match.
A brute-force attack tries every possible character combination and will eventually succeed, but against 8-character mixed-category passwords the search space is enormous, making it the slowest offline approach.
A hybrid attack starts with a wordlist and appends or prepends numbers, special characters, and capitalization variations - exactly how users typically create passwords that barely meet complexity requirements. Because users predictably add digits or symbols to familiar words, a hybrid attack finds these passwords far faster than pure brute force while covering ground that a plain dictionary attack misses on strong-policy environments.
Concept tested: Hybrid password cracking attack against strong policies
Source: https://www.openwall.com/john/doc/MODES.shtml
Topics
Community Discussion
No community discussion yet for this question.