nerdexam
EC-Council

312-50V13 · Question #118

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is u

The correct answer is B. Kerberos is preventing it.. On a Windows 2000 network, L0phtcrack is unable to sniff SMB logons on a hub because Kerberos authentication, used in Active Directory environments, prevents the transmission of traditional NTLM password hashes over the network.

Submitted by fernanda_arg· Mar 6, 2026Sniffing

Question

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this?

Options

  • AThere is a NIDS present on that segment.
  • BKerberos is preventing it.
  • CWindows logons cannot be sniffed.
  • DL0phtcrack only sniffs logons to web servers.

How the community answered

(25 responses)
  • A
    4% (1)
  • B
    84% (21)
  • C
    8% (2)
  • D
    4% (1)

Why each option

On a Windows 2000 network, L0phtcrack is unable to sniff SMB logons on a hub because Kerberos authentication, used in Active Directory environments, prevents the transmission of traditional NTLM password hashes over the network.

AThere is a NIDS present on that segment.

While a Network Intrusion Detection System (NIDS) might detect an attack, it does not prevent the sniffing of traffic itself, which is the user's immediate problem in capturing logons.

BKerberos is preventing it.Correct

In a Windows 2000 Active Directory environment, Kerberos is the default authentication protocol. Kerberos uses a ticket-based system for authentication, meaning that the user's password hash is not transmitted directly over the network during logon, unlike NTLM. This prevents tools like L0phtcrack from sniffing usable password hashes from SMB exchanges, even on a hub where traffic is broadcast.

CWindows logons cannot be sniffed.

Windows logons can indeed be sniffed if NTLM authentication is used, especially on older systems or non-Kerberos enabled environments, making this statement generally false.

DL0phtcrack only sniffs logons to web servers.

L0phtcrack is primarily designed to crack Windows passwords, including those from SMB, not specifically logons to web servers, which often use different authentication mechanisms.

Concept tested: Kerberos preventing SMB password sniffing

Source: https://learn.microsoft.com/en-us/windows-server/security/credentials/kerberos-authentication-overview

Topics

#Kerberos#SMB sniffing#Windows authentication#network sniffing

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice