nerdexam
EC-Council

312-50V9 · Question #566

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is u

The correct answer is B. Kerberos is preventing it.. Windows 2000 domain authentication defaults to Kerberos v5, which does not use the LM/NTLM challenge-response exchanges that L0phtcrack requires to capture credential material.

Sniffing

Question

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this?

Options

  • AThere is a NIDS present on that segment.
  • BKerberos is preventing it.
  • CWindows logons cannot be sniffed.
  • DL0phtcrack only sniffs logons to web servers.

How the community answered

(43 responses)
  • A
    5% (2)
  • B
    72% (31)
  • C
    16% (7)
  • D
    7% (3)

Why each option

Windows 2000 domain authentication defaults to Kerberos v5, which does not use the LM/NTLM challenge-response exchanges that L0phtcrack requires to capture credential material.

AThere is a NIDS present on that segment.

A passive NIDS detects suspicious traffic but does not prevent a promiscuous-mode sniffer on the same hub segment from receiving broadcast frames.

BKerberos is preventing it.Correct

Windows 2000 introduced Kerberos v5 as the default domain authentication protocol, replacing the older LM/NTLM challenge-response mechanism. L0phtcrack captures credentials by sniffing LM and NTLM hash exchanges over SMB; because Kerberos ticket-based authentication is used instead, no LM/NTLM hash material appears on the wire for the tool to capture. This is the most technically specific reason the attack fails despite active user logins occurring on the same hub segment.

CWindows logons cannot be sniffed.

Windows logons using NTLM/LM authentication can and do expose capturable credential material on the wire; sniffing is only blocked here because Kerberos is in use.

DL0phtcrack only sniffs logons to web servers.

L0phtcrack is specifically designed to capture and crack Windows LM/NTLM credentials over SMB, not limited to web server logons.

Concept tested: Kerberos v5 replacing NTLM in Windows 2000 domain authentication

Source: https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview

Topics

#Kerberos#SMB sniffing#L0phtcrack#Windows authentication

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice