nerdexam
EC-Council

312-50V11 · Question #679

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are req

The correct answer is D. Hybrid Attack. A hybrid attack is the fastest option here because it combines dictionary words with rule-based mutations that mimic how real users satisfy complex password policies.

System Hacking

Question

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

Options

  • AOnline Attack
  • BDictionary Attack
  • CBrute Force Attack
  • DHybrid Attack

How the community answered

(23 responses)
  • A
    4% (1)
  • B
    9% (2)
  • C
    4% (1)
  • D
    83% (19)

Why each option

A hybrid attack is the fastest option here because it combines dictionary words with rule-based mutations that mimic how real users satisfy complex password policies.

AOnline Attack

An online attack sends guesses directly to a live authentication service, which is throttled by lockout policies and network latency, making it the slowest and most detectable option.

BDictionary Attack

A pure dictionary attack tests unmodified wordlist entries and would largely fail against an 8-character policy requiring mixed character categories, since most dictionary words alone will not match.

CBrute Force Attack

A brute-force attack tries every possible character combination and will eventually succeed, but against 8-character mixed-category passwords the search space is enormous, making it the slowest offline approach.

DHybrid AttackCorrect

A hybrid attack starts with a wordlist and appends or prepends numbers, special characters, and capitalization variations - exactly how users typically create passwords that barely meet complexity requirements. Because users predictably add digits or symbols to familiar words, a hybrid attack finds these passwords far faster than pure brute force while covering ground that a plain dictionary attack misses on strong-policy environments.

Concept tested: Hybrid password cracking attack against strong policies

Source: https://www.openwall.com/john/doc/MODES.shtml

Topics

#hybrid attack#strong password policy#attack strategy#password cracking

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice