312-50V12 Question #160: Real Exam Question with Answer & Explanation

Question

An ethical hacker is attempting to crack NTLM hashed passwords from a Windows SAM file using a rainbow table attack. He has dumped the on-disk contents of the SAM file successfully and noticed that all LM hashes are blank. Given this scenario, which of the following would be the most likely reason for the blank LM hashes?

Options

• AThe SAM file has been encrypted using the SYSKEY function.
• BThe passwords exceeded 14 characters in length and therefore, the LM hashes were set to a
• CThe Windows system is Vista or a later version, where LM hashes are disabled by default.
• DThe Windows system is using the Kerberos authentication protocol as the default method.

Explanation

The ethical hacker observed blank LM hashes because Windows Vista and later versions disable LM hashing by default, a security measure to prevent the storage of easily crackable hashes. This default configuration stores dummy values instead of actual LM hashes, making them appear blank.

Common mistakes.

• A. SYSKEY encrypts the entire SAM database, and if enabled, would prevent successful dumping or access to any readable hash data, not just specific blank LM hashes.
• B. Passwords exceeding 14 characters result in a blank LM hash for that specific password, but this is not a system-wide default that would cause all LM hashes to be blank regardless of password length.
• D. Kerberos is an authentication protocol primarily used in domain environments and does not directly cause LM hashes to be disabled or blanked in the local SAM file.

Concept tested. Windows LM hash disabling and security defaults

Reference. https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change

No community discussion yet for this question.