nerdexam
GIAC

GCIH · Question #630

An engineer is using Hashcat to brute force passwords from a file of hashes. How should the following hash be handled in the scenario? aad3b435b51404eeaad3b435b51404ee

The correct answer is A. The hash should be skipped. The hash 'aad3b435b51404eeaad3b435b51404ee' is the well-known null LM hash, indicating an empty or disabled LM password entry, so Hashcat skips it rather than attempting to crack it.

Vulnerability Exploitation & Privilege Escalation

Question

An engineer is using Hashcat to brute force passwords from a file of hashes. How should the following hash be handled in the scenario? aad3b435b51404eeaad3b435b51404ee

Options

  • AThe hash should be skipped
  • BThe hash should be cracked as a SHA-1 hash
  • CThe hash should be decoded
  • DThe hash should be cracked as an NT hash

How the community answered

(23 responses)
  • A
    78% (18)
  • B
    13% (3)
  • C
    4% (1)
  • D
    4% (1)

Why each option

The hash 'aad3b435b51404eeaad3b435b51404ee' is the well-known null LM hash, indicating an empty or disabled LM password entry, so Hashcat skips it rather than attempting to crack it.

AThe hash should be skippedCorrect

This specific 32-character value is the known null LAN Manager (LM) hash, produced when LM hashing is disabled or the password component is empty. Hashcat recognizes this sentinel value and skips it automatically because it does not represent a real password to recover - it is simply a placeholder indicating no LM credential exists.

BThe hash should be cracked as a SHA-1 hash

SHA-1 hashes are 40 hexadecimal characters long, while this is a 32-character LM format hash, making SHA-1 identification technically incorrect.

CThe hash should be decoded

Decoding applies to encoding schemes like Base64 or hex encoding of plaintext, but this is a cryptographic hash value and cannot be reversed by decoding.

DThe hash should be cracked as an NT hash

NT hashes are also 32-character MD4-based values, but this specific string is the universally recognized null LM hash constant, not an NT hash, and attempting to crack it as one would be incorrect and unproductive.

Concept tested: Identifying null LM hash values in Hashcat

Source: https://learn.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview

Topics

#LM hash#Hashcat#password cracking#Windows authentication

Community Discussion

No community discussion yet for this question.

Full GCIH Practice