nerdexam
EC-Council

312-50V11 · Question #77

In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a u

The correct answer is A. LM:NT. When performing pass-the-hash attacks with Metasploit's psexec module, NTLM credentials are supplied in LM:NT format - the LM hash first, followed by the NT hash, separated by a colon.

System Hacking

Question

In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. Metasploit Framework has a module for this technique: psexec. The psexec module is often used by penetration testers to obtain access to a given system whose credentials are known. It was written by sysinternals and has been integrated within the framework. The penetration testers successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values. Which of the following is true hash type and sort order that is used in the psexec module's 'smbpass' option?

Options

  • ALM:NT
  • BNTLM:LM
  • CNT:LM
  • DLM:NTLM

How the community answered

(27 responses)
  • A
    70% (19)
  • B
    19% (5)
  • C
    4% (1)
  • D
    7% (2)

Why each option

When performing pass-the-hash attacks with Metasploit's psexec module, NTLM credentials are supplied in LM:NT format - the LM hash first, followed by the NT hash, separated by a colon.

ALM:NTCorrect

Tools like psexec, fgdump, and pwdump represent extracted Windows credentials as LM hash followed by NT hash in the form LM:NT. When the attacker passes this credential pair to Metasploit's psexec module, the module uses the hashes directly against the NTLM authentication protocol, authenticating to the remote service without ever needing the plaintext password.

BNTLM:LM

NTLM:LM inverts the correct field order - the LM component always precedes the NT component in the hash pair format used by pass-the-hash tooling.

CNT:LM

NT:LM places the NT hash before the LM hash, which is the reverse of the expected LM:NT format required by psexec and related Metasploit modules.

DLM:NTLM

LM:NTLM incorrectly labels the second component as 'NTLM' - NTLM is the authentication protocol name, not a hash type; the correct label for the second field is 'NT'.

Concept tested: Pass-the-hash NTLM credential format for psexec

Source: https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview

Topics

#pass-the-hash#NTLM#LM hash#Metasploit psexec

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice